Skip to main content

CVE-2025-6936: SQL Injection in code-projects Simple Pizza Ordering System

Medium
VulnerabilityCVE-2025-6936cvecve-2025-6936
Published: Tue Jul 01 2025 (07/01/2025, 00:02:05 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Simple Pizza Ordering System

Description

A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file /addpro.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/01/2025, 00:24:34 UTC

Technical Analysis

CVE-2025-6936 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /addpro.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which allows an attacker to manipulate SQL queries executed by the application. This flaw enables remote attackers to inject arbitrary SQL code without requiring authentication or user interaction, potentially leading to unauthorized data access, data modification, or disruption of the backend database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known active exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.9, indicating a medium severity level, reflecting the ease of exploitation (network accessible, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability affects only version 1.0 of the Simple Pizza Ordering System, a niche web application likely used by small to medium-sized businesses for pizza order management. The lack of a patch or mitigation details suggests that users of this software must take immediate action to protect their systems.

Potential Impact

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk of unauthorized database access and manipulation. Attackers exploiting this SQL injection could extract sensitive customer data, such as personal information and order histories, or alter order records, potentially leading to financial loss, reputational damage, and regulatory non-compliance (e.g., GDPR violations). The ability to execute arbitrary SQL commands remotely without authentication increases the attack surface, especially for organizations with internet-facing order management systems. While the impact on availability is limited, data integrity and confidentiality could be compromised. Given the critical nature of customer data in the food service industry and the strict data protection regulations in Europe, exploitation could result in legal penalties and loss of customer trust. However, the niche nature of the affected software limits the scope of impact primarily to organizations that have deployed this specific system.

Mitigation Recommendations

Organizations using the Simple Pizza Ordering System 1.0 should immediately undertake the following specific actions: 1) Conduct an inventory to identify all instances of the affected software version in use. 2) If available, apply vendor-provided patches or updates; if no patch exists, consider upgrading to a newer, secure version or migrating to alternative ordering systems. 3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'ID' parameter in /addpro.php. 4) Employ input validation and parameterized queries or prepared statements in the application code to prevent injection. 5) Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. 6) Monitor logs for suspicious database queries or unusual application behavior indicative of exploitation attempts. 7) Isolate the ordering system from other critical network segments to contain potential breaches. 8) Educate IT and security teams about this vulnerability and ensure incident response plans include SQL injection scenarios. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and application context.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-30T17:56:56.317Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 686327386f40f0eb728d98d4

Added to database: 7/1/2025, 12:09:28 AM

Last enriched: 7/1/2025, 12:24:34 AM

Last updated: 7/15/2025, 6:46:01 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats