CVE-2025-6480 in Simple Pizza Ordering Systeminfo

Summary

by MITRE • 06/23/2025

A vulnerability classified as critical was found in code-projects Simple Pizza Ordering System 1.0. This vulnerability affects unknown code of the file /addcatexec.php. The manipulation of the argument textfield leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability identified as CVE-2025-6480 represents a critical sql injection flaw within the code-projects Simple Pizza Ordering System version 1.0. This system is designed for managing pizza orders through a web interface, and the discovered vulnerability specifically targets the /addcatexec.php file which handles category addition functionality. The vulnerability arises from insufficient input validation and sanitization of user-supplied data, particularly within the textfield parameter that processes category names and descriptions. Security researchers have determined that this flaw allows attackers to execute arbitrary sql commands against the underlying database, potentially leading to complete system compromise. The vulnerability's classification as critical reflects the severity of potential impacts including data theft, unauthorized access, and system manipulation. The exploit has been publicly disclosed, making it readily available to malicious actors who may leverage this weakness to target installations of the Simple Pizza Ordering System.

The technical implementation of this sql injection vulnerability occurs when user input from the textfield parameter is directly incorporated into sql queries without proper sanitization or parameterization. Attackers can manipulate the textfield argument to inject malicious sql code that bypasses normal authentication mechanisms and executes unauthorized database operations. This type of vulnerability falls under the CWE-89 category known as "Improper Neutralization of Special Elements used in an SQL Command" and aligns with the ATT&CK technique T1190 "Exploit Public-Facing Application" as the attack vector involves exploiting a web application interface. The remote exploitation capability means that attackers do not require physical access to the system and can leverage this vulnerability from any location with internet connectivity. The vulnerability's presence in the addcatexec.php file suggests that the application's backend processing logic fails to properly validate or escape user input before incorporating it into database queries, creating a persistent attack surface that can be exploited repeatedly.

The operational impact of this vulnerability extends beyond simple data compromise to include complete system takeover potential. Successful exploitation could allow attackers to extract sensitive customer information including personal details, order histories, and payment data stored within the database. Additionally, attackers might modify or delete existing records, inject malicious content, or escalate privileges to gain administrative control over the application. The vulnerability affects the system's integrity and confidentiality, potentially violating data protection regulations and exposing organizations to significant financial and reputational damage. Organizations running this version of the Simple Pizza Ordering System face heightened risk of data breaches and unauthorized system access. The public disclosure of the exploit increases the likelihood of automated attacks targeting vulnerable installations, making immediate remediation essential to prevent exploitation.

Mitigation strategies for CVE-2025-6480 should prioritize immediate patching of the affected application to address the sql injection vulnerability in the addcatexec.php file. Organizations should implement proper input validation and sanitization measures, including parameterized queries or prepared statements to prevent sql injection attacks. The application should enforce proper authentication and authorization controls to limit access to administrative functions. Network segmentation and intrusion detection systems can help monitor for exploitation attempts, while regular security assessments should verify that all input fields are properly sanitized. Security patches should be applied immediately, and the application should be updated to a version that addresses this vulnerability. Organizations should also implement web application firewalls to detect and block malicious sql injection attempts, and conduct thorough code reviews to identify similar vulnerabilities in other application components. The remediation process should include comprehensive testing to ensure that the fix does not introduce new functionality issues while maintaining the application's intended operational capabilities.

Responsible

VulDB

Disclosure

06/23/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00394

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!