CVE-2025-6479 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /salesreport.php file. The vulnerability arises due to improper sanitization or validation of the 'dayfrom' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This could lead to unauthorized data disclosure, data modification, or even deletion. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. Although the CVSS 4.0 base score is 6.9 (medium severity), the classification as critical in the description suggests that the impact could be significant depending on the deployment context. The vulnerability affects only version 1.0 of the Simple Pizza Ordering System, a niche application likely used by small to medium-sized pizza businesses for order management and sales reporting. No official patches or fixes have been published yet, and there are no known exploits in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The vulnerability impacts confidentiality, integrity, and availability to some extent, as attackers could extract sensitive sales data, alter records, or disrupt service availability through crafted SQL commands.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a risk of unauthorized access to sensitive business data such as sales reports, customer orders, and potentially payment information if stored in the database. This could lead to financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting personal data. Small and medium enterprises (SMEs) in the food service sector are most at risk, as they may lack dedicated cybersecurity resources to promptly detect and mitigate such vulnerabilities. The ability to exploit this vulnerability remotely without authentication increases the attack surface, potentially allowing attackers to compromise multiple installations across different locations. While the overall market penetration of this specific software in Europe is likely limited, organizations relying on it for critical business operations could face operational disruptions and data breaches. Additionally, attackers could leverage this vulnerability as a foothold to pivot into broader internal networks if the affected system is connected to other corporate infrastructure.

1. Immediate mitigation should involve implementing input validation and parameterized queries or prepared statements in the /salesreport.php script to prevent SQL injection attacks. 2. Organizations should conduct an audit to identify all instances of the Simple Pizza Ordering System version 1.0 in their environment and isolate affected systems until patched. 3. If source code access is available, developers should review and sanitize all user inputs, especially those used in SQL queries, and apply secure coding practices. 4. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting the 'dayfrom' parameter. 5. Monitoring and logging database queries and web application logs for unusual activity related to salesreport.php can help detect exploitation attempts early. 6. Organizations should engage with the vendor or community to obtain or develop patches and apply them promptly once available. 7. As a longer-term measure, consider migrating to more secure and actively maintained ordering systems with robust security practices. 8. Educate staff about the risks of using outdated software and the importance of timely updates and vulnerability management.