CVE-2025-6937: SQL Injection in code-projects Simple Pizza Ordering System
A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /large.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-6937 is a SQL Injection vulnerability identified in version 1.0 of the Simple Pizza Ordering System developed by code-projects. The vulnerability exists in the /large.php file, specifically through the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw without requiring any authentication or user interaction. By injecting malicious SQL code into the 'ID' parameter, an attacker can manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild yet. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. The vulnerability does not involve scope changes or security controls bypass. The lack of available patches or mitigations from the vendor further elevates the risk for users of this software version.
Potential Impact
For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their order and customer data. Exploitation could lead to unauthorized disclosure of sensitive customer information, manipulation of order records, or disruption of service availability. Given the nature of the application—handling customer orders and potentially payment information—such breaches could result in financial losses, reputational damage, and regulatory penalties under GDPR for failing to protect personal data. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially if the system is internet-facing. Small and medium-sized enterprises in the food service sector, which may rely on this software without extensive cybersecurity measures, are particularly vulnerable. Additionally, the public disclosure of the vulnerability could attract opportunistic attackers targeting less-secured systems.
Mitigation Recommendations
Organizations should immediately assess their exposure to the Simple Pizza Ordering System version 1.0. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in /large.php. 2) Apply input validation and parameterized queries or prepared statements in the application code to sanitize user inputs, if source code access and modification are possible. 3) Restrict external access to the affected application by network segmentation or VPN access to reduce exposure. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Consider migrating to a newer, supported version of the software or alternative solutions with secure coding practices. 6) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter and file, leveraging network controls, and emphasizing code-level remediation where feasible.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2025-6937: SQL Injection in code-projects Simple Pizza Ordering System
Description
A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /large.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-6937 is a SQL Injection vulnerability identified in version 1.0 of the Simple Pizza Ordering System developed by code-projects. The vulnerability exists in the /large.php file, specifically through the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw without requiring any authentication or user interaction. By injecting malicious SQL code into the 'ID' parameter, an attacker can manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild yet. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. The vulnerability does not involve scope changes or security controls bypass. The lack of available patches or mitigations from the vendor further elevates the risk for users of this software version.
Potential Impact
For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their order and customer data. Exploitation could lead to unauthorized disclosure of sensitive customer information, manipulation of order records, or disruption of service availability. Given the nature of the application—handling customer orders and potentially payment information—such breaches could result in financial losses, reputational damage, and regulatory penalties under GDPR for failing to protect personal data. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially if the system is internet-facing. Small and medium-sized enterprises in the food service sector, which may rely on this software without extensive cybersecurity measures, are particularly vulnerable. Additionally, the public disclosure of the vulnerability could attract opportunistic attackers targeting less-secured systems.
Mitigation Recommendations
Organizations should immediately assess their exposure to the Simple Pizza Ordering System version 1.0. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in /large.php. 2) Apply input validation and parameterized queries or prepared statements in the application code to sanitize user inputs, if source code access and modification are possible. 3) Restrict external access to the affected application by network segmentation or VPN access to reduce exposure. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Consider migrating to a newer, supported version of the software or alternative solutions with secure coding practices. 6) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter and file, leveraging network controls, and emphasizing code-level remediation where feasible.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-30T17:56:58.379Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686331d96f40f0eb728db533
Added to database: 7/1/2025, 12:54:49 AM
Last enriched: 7/1/2025, 1:09:28 AM
Last updated: 7/23/2025, 9:23:46 AM
Views: 18
Related Threats
CVE-2025-53902: CWE-863: Incorrect Authorization in Enalean tuleap
MediumCVE-2025-5684: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xpeedstudio MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
MediumCVE-2025-45346: n/a
UnknownCVE-2025-53541: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Enalean tuleap
MediumCVE-2025-52899: CWE-204: Observable Response Discrepancy in Enalean tuleap
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.