CVE-2025-6937 is a SQL Injection vulnerability identified in version 1.0 of the Simple Pizza Ordering System developed by code-projects. The vulnerability exists in the /large.php file, specifically through the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw without requiring any authentication or user interaction. By injecting malicious SQL code into the 'ID' parameter, an attacker can manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild yet. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. The vulnerability does not involve scope changes or security controls bypass. The lack of available patches or mitigations from the vendor further elevates the risk for users of this software version.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their order and customer data. Exploitation could lead to unauthorized disclosure of sensitive customer information, manipulation of order records, or disruption of service availability. Given the nature of the application—handling customer orders and potentially payment information—such breaches could result in financial losses, reputational damage, and regulatory penalties under GDPR for failing to protect personal data. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially if the system is internet-facing. Small and medium-sized enterprises in the food service sector, which may rely on this software without extensive cybersecurity measures, are particularly vulnerable. Additionally, the public disclosure of the vulnerability could attract opportunistic attackers targeting less-secured systems.

Organizations should immediately assess their exposure to the Simple Pizza Ordering System version 1.0. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in /large.php. 2) Apply input validation and parameterized queries or prepared statements in the application code to sanitize user inputs, if source code access and modification are possible. 3) Restrict external access to the affected application by network segmentation or VPN access to reduce exposure. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Consider migrating to a newer, supported version of the software or alternative solutions with secure coding practices. 6) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter and file, leveraging network controls, and emphasizing code-level remediation where feasible.