CVE-2025-6480 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /addcatexec.php file. The vulnerability arises from improper sanitization or validation of the 'textfield' argument, which an attacker can manipulate to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, making it accessible to any attacker who can reach the affected web application endpoint. Although the exact database backend is unspecified, typical impacts of SQL injection include unauthorized data disclosure, data modification, deletion, or even full system compromise depending on the database privileges. The CVSS 4.0 base score is 6.9, reflecting medium severity, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). No patches or mitigations have been publicly disclosed yet, and no known exploits are currently observed in the wild, though public exploit details exist. The vulnerability is present only in version 1.0 of the Simple Pizza Ordering System, which is a niche web application product primarily used by small to medium-sized food service businesses for online ordering and menu management. The vulnerability's exploitation could lead to unauthorized access to customer data, order information, and potentially administrative functions, posing risks of data breaches and operational disruption.

For European organizations, particularly small and medium enterprises (SMEs) in the food service sector using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of customer personal data, including order histories and payment details, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Integrity of order data could be compromised, leading to fraudulent orders or disruption of business operations. Availability impacts could manifest as denial of service if the database is corrupted or locked. While the product is niche, the widespread adoption of similar ordering systems in Europe means that any compromise could cascade into supply chain disruptions or customer trust erosion. Additionally, attackers could leverage this vulnerability as a foothold for lateral movement within networks if the ordering system is integrated with broader IT infrastructure. Given the lack of patches and the public disclosure of exploit details, the risk of exploitation may increase, especially in environments with weak perimeter defenses or insufficient web application security controls.

1. Immediate mitigation should include implementing web application firewall (WAF) rules specifically targeting SQL injection patterns on the /addcatexec.php endpoint, focusing on the 'textfield' parameter. 2. Conduct thorough input validation and sanitization on all user-supplied inputs, employing parameterized queries or prepared statements to prevent direct SQL injection. 3. If possible, upgrade or replace the Simple Pizza Ordering System with a version or alternative product that addresses this vulnerability. 4. Restrict database user privileges to the minimum necessary for the application to function, limiting the impact of potential injection attacks. 5. Monitor web server and database logs for unusual query patterns or error messages indicative of injection attempts. 6. Segment the ordering system network segment from critical internal systems to contain potential breaches. 7. Educate IT staff and administrators about the vulnerability and ensure timely application of any future patches or updates from the vendor. 8. Perform regular security assessments and penetration testing focusing on web application vulnerabilities to detect similar issues proactively.