CVE-2025-6483 in Simple Pizza Ordering Systeminfo

Summary

by MITRE • 06/23/2025

A vulnerability has been found in code-projects Simple Pizza Ordering System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /edituser.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

This critical vulnerability exists within the code-projects Simple Pizza Ordering System version 1.0, specifically targeting the /edituser.php file through a SQL injection flaw. The vulnerability stems from improper input validation where the ID parameter is directly incorporated into database queries without adequate sanitization or parameterization. This allows malicious actors to manipulate the SQL query structure by injecting malicious SQL code through the ID argument, potentially gaining unauthorized access to sensitive user data and system information.

The technical implementation of this vulnerability follows standard SQL injection patterns where the application fails to properly escape or validate user-supplied input before incorporating it into database operations. When an attacker sends a crafted ID parameter to the edituser.php endpoint, the application processes this input directly within SQL commands, creating opportunities for data extraction, modification, or deletion. The remote exploitability of this vulnerability means that attackers do not require physical access to the system, enabling them to target the application from external networks and potentially escalate privileges through database-level attacks.

The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to manipulate user accounts, access confidential customer information, and potentially compromise the entire application infrastructure. This represents a significant risk to user privacy and business operations, particularly given that the system handles pizza ordering functionality that likely includes personal customer details, payment information, and order history. The disclosure of exploitation methods to the public significantly increases the risk surface and likelihood of successful attacks against vulnerable installations.

Security mitigations for this vulnerability should prioritize immediate implementation of parameterized queries and input validation measures to prevent SQL injection attacks. Organizations should implement proper input sanitization, employ prepared statements with bound parameters, and conduct comprehensive code reviews to identify similar vulnerabilities throughout the application codebase. Additionally, network-level protections including web application firewalls and intrusion detection systems should be deployed to monitor and block suspicious SQL injection attempts. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a technique commonly catalogued in ATT&CK framework under T1190 for exploit public-facing application, emphasizing the critical need for immediate remediation and security hardening measures.

Responsible

VulDB

Disclosure

06/23/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00394

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!