CVE-2025-6936: SQL Injection in code-projects Simple Pizza Ordering System
A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file /addpro.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-6936 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /addpro.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which allows an attacker to manipulate SQL queries executed by the application. This flaw enables remote attackers to inject arbitrary SQL code without requiring authentication or user interaction, potentially leading to unauthorized data access, data modification, or disruption of the backend database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known active exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.9, indicating a medium severity level, reflecting the ease of exploitation (network accessible, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability affects only version 1.0 of the Simple Pizza Ordering System, a niche web application likely used by small to medium-sized businesses for pizza order management. The lack of a patch or mitigation details suggests that users of this software must take immediate action to protect their systems.
Potential Impact
For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk of unauthorized database access and manipulation. Attackers exploiting this SQL injection could extract sensitive customer data, such as personal information and order histories, or alter order records, potentially leading to financial loss, reputational damage, and regulatory non-compliance (e.g., GDPR violations). The ability to execute arbitrary SQL commands remotely without authentication increases the attack surface, especially for organizations with internet-facing order management systems. While the impact on availability is limited, data integrity and confidentiality could be compromised. Given the critical nature of customer data in the food service industry and the strict data protection regulations in Europe, exploitation could result in legal penalties and loss of customer trust. However, the niche nature of the affected software limits the scope of impact primarily to organizations that have deployed this specific system.
Mitigation Recommendations
Organizations using the Simple Pizza Ordering System 1.0 should immediately undertake the following specific actions: 1) Conduct an inventory to identify all instances of the affected software version in use. 2) If available, apply vendor-provided patches or updates; if no patch exists, consider upgrading to a newer, secure version or migrating to alternative ordering systems. 3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'ID' parameter in /addpro.php. 4) Employ input validation and parameterized queries or prepared statements in the application code to prevent injection. 5) Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. 6) Monitor logs for suspicious database queries or unusual application behavior indicative of exploitation attempts. 7) Isolate the ordering system from other critical network segments to contain potential breaches. 8) Educate IT and security teams about this vulnerability and ensure incident response plans include SQL injection scenarios. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and application context.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands
CVE-2025-6936: SQL Injection in code-projects Simple Pizza Ordering System
Description
A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file /addpro.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-6936 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /addpro.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which allows an attacker to manipulate SQL queries executed by the application. This flaw enables remote attackers to inject arbitrary SQL code without requiring authentication or user interaction, potentially leading to unauthorized data access, data modification, or disruption of the backend database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known active exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.9, indicating a medium severity level, reflecting the ease of exploitation (network accessible, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability affects only version 1.0 of the Simple Pizza Ordering System, a niche web application likely used by small to medium-sized businesses for pizza order management. The lack of a patch or mitigation details suggests that users of this software must take immediate action to protect their systems.
Potential Impact
For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk of unauthorized database access and manipulation. Attackers exploiting this SQL injection could extract sensitive customer data, such as personal information and order histories, or alter order records, potentially leading to financial loss, reputational damage, and regulatory non-compliance (e.g., GDPR violations). The ability to execute arbitrary SQL commands remotely without authentication increases the attack surface, especially for organizations with internet-facing order management systems. While the impact on availability is limited, data integrity and confidentiality could be compromised. Given the critical nature of customer data in the food service industry and the strict data protection regulations in Europe, exploitation could result in legal penalties and loss of customer trust. However, the niche nature of the affected software limits the scope of impact primarily to organizations that have deployed this specific system.
Mitigation Recommendations
Organizations using the Simple Pizza Ordering System 1.0 should immediately undertake the following specific actions: 1) Conduct an inventory to identify all instances of the affected software version in use. 2) If available, apply vendor-provided patches or updates; if no patch exists, consider upgrading to a newer, secure version or migrating to alternative ordering systems. 3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'ID' parameter in /addpro.php. 4) Employ input validation and parameterized queries or prepared statements in the application code to prevent injection. 5) Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. 6) Monitor logs for suspicious database queries or unusual application behavior indicative of exploitation attempts. 7) Isolate the ordering system from other critical network segments to contain potential breaches. 8) Educate IT and security teams about this vulnerability and ensure incident response plans include SQL injection scenarios. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and application context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-30T17:56:56.317Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686327386f40f0eb728d98d4
Added to database: 7/1/2025, 12:09:28 AM
Last enriched: 7/1/2025, 12:24:34 AM
Last updated: 7/15/2025, 6:46:01 AM
Views: 14
Related Threats
CVE-2025-2800: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeventmanager WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
HighCVE-2025-2799: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeventmanager WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
MediumCVE-2025-53842: Use of hard-coded credentials in ZEXELON CO., LTD. ZWX-2000CSW2-HN
MediumCVE-2025-6977: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in metagauss ProfileGrid – User Profiles, Groups and Communities
MediumCVE-2025-53958
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.