CVE-2025-11612: Simple Food Ordering System SQLi Flaw

CVE-2025-11612 Overview

CVE-2025-11612 is a SQL injection vulnerability in code-projects Simple Food Ordering System 1.0. The flaw resides in the /addproduct.php script, where the Category parameter is concatenated into a SQL query without proper sanitization. An authenticated remote attacker with low privileges can manipulate the parameter to alter query logic, read database contents, or modify stored records.

The issue is tracked under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output). Public disclosure has occurred through VulDB #327942 and a GitHub CVE Issue Discussion.

Critical Impact

Remote authenticated attackers can inject arbitrary SQL through the Category parameter in /addproduct.php, leading to unauthorized database read and write operations.

Affected Products

• code-projects Simple Food Ordering System 1.0
• CPE: cpe:2.3:a:fabian:simple_food_ordering_system:1.0:*:*:*:*:*:*:*
• Vendor: Fabian (distributed via Code Projects Resource Hub)

Discovery Timeline

• 2025-10-11 - CVE-2025-11612 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-11612

Vulnerability Analysis

The vulnerability affects the product creation workflow in Simple Food Ordering System 1.0. The /addproduct.php endpoint accepts a Category argument supplied by the client and passes it into a backend SQL statement without parameterization or input validation.

An attacker authenticated as a low-privileged user can submit crafted input that breaks out of the intended query context. This allows execution of attacker-controlled SQL clauses against the application database. The EPSS probability for this CVE is 0.302%, with public exploit details disclosed through VulDB.

Root Cause

The root cause is improper neutralization of user-supplied input before it is used in a SQL command. The application directly concatenates the Category parameter into the query string instead of using prepared statements or bound parameters. PHP database APIs such as PDO and MySQLi provide parameterized query interfaces, but /addproduct.php does not use them for this input path.

Attack Vector

The attack vector is network-based. An attacker requires low-level privileges, typically a valid administrative or staff account permitted to access /addproduct.php. The attacker submits a POST or GET request to the product-addition endpoint with a malicious Category value containing SQL metacharacters such as single quotes, comments, or UNION SELECT clauses.

The injected payload is appended to the SQL statement and executed by the backend MySQL database. Depending on database privileges, the attacker can extract user credentials, modify menu data, or escalate access. Public proof-of-concept material is referenced in the GitHub CVE Issue Discussion.

Detection Methods for CVE-2025-11612

Indicators of Compromise

• HTTP requests to /addproduct.php containing SQL metacharacters such as ', --, UNION, SELECT, or OR 1=1 in the Category parameter.
• Unexpected database errors or stack traces in PHP/MySQL logs originating from addproduct.php.
• Sudden creation or modification of product records by accounts that do not normally perform such actions.
• Outbound database connections or unusual query volumes from the web application service account.

Detection Strategies

• Inspect web server access logs for anomalous Category parameter values containing URL-encoded SQL syntax.
• Deploy a web application firewall rule that flags SQL injection signatures targeting /addproduct.php.
• Enable MySQL general query logging in development or staging to baseline normal addproduct.php query patterns and alert on deviations.
• Correlate authentication events with subsequent product-add requests to identify accounts being abused for injection testing.

Monitoring Recommendations

• Forward web server, PHP error, and MySQL logs to a central SIEM for correlation and retention.
• Alert on repeated HTTP 500 responses from /addproduct.php, which often indicate injection probing.
• Monitor changes to sensitive tables such as users or admin outside of expected maintenance windows.

How to Mitigate CVE-2025-11612

Immediate Actions Required

• Restrict access to /addproduct.php to trusted administrative IP ranges using web server access controls.
• Rotate credentials for any accounts that can authenticate to the application administration interface.
• Review database audit logs for unauthorized read or write operations against product and user tables.
• Deploy WAF signatures that block common SQL injection payloads on the Category parameter.

Patch Information

No official vendor patch has been published for code-projects Simple Food Ordering System 1.0 at the time of NVD publication. Organizations running this software should consider it end-of-support and plan migration to an actively maintained alternative. Monitor the Code Projects Resource Hub and VulDB CTI ID #327942 for any vendor updates.

Workarounds

• Modify /addproduct.php to use parameterized queries via PDO or MySQLi prepared statements for the Category input.
• Apply server-side allowlist validation that restricts Category to a predefined set of category identifiers.
• Run the MySQL service account with least privilege so it cannot execute DDL or read administrative tables.
• Take the application offline if it is internet-exposed and not essential, until source-level fixes are applied.

# Example Apache configuration restricting access to /addproduct.php
<Location "/addproduct.php">
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Location>

# Example ModSecurity rule blocking SQLi patterns in the Category parameter
SecRule ARGS:Category "@detectSQLi" \
    "id:1011612,phase:2,deny,status:403,\
    msg:'CVE-2025-11612 SQLi attempt on addproduct.php Category parameter'"