CVE-2025-11612 – This SQL injection vulnerability in Simple Food... (How to Fix)

Q: What is the severity of CVE-2025-11612?

CVE-2025-11612 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Simple Food Ordering System 1.0 allows attackers to manipulate database queries through the Category parameter in /addproduct.php. Attackers can potentially read, modify, or delete database content. All deployments of Simple Food Ordering System 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Simple Food Ordering System 1.0 allows attackers to manipulate database queries through the Category parameter in /addproduct.php. Attackers can potentially read, modify, or delete database content. All deployments of Simple Food Ordering System 1.0 are affected.

💻 Affected Systems

Products:

Simple Food Ordering System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default.

📦 What is this software?

Simple Food Ordering System by Fabian

View all CVEs affecting Simple Food Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or complete system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized data access, data manipulation, or privilege escalation through SQL injection attacks.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in GitHub issues. Attack requires access to /addproduct.php endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in /addproduct.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for Category parameter to reject malicious SQL characters.

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting /addproduct.php endpoint.

🧯 If You Can't Patch

Restrict access to /addproduct.php endpoint using network controls or authentication
Implement database user with minimal privileges for the application

🔍 How to Verify

Check if Vulnerable:

Test /addproduct.php endpoint with SQL injection payloads in Category parameter and monitor for database errors or unexpected behavior.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes and verify proper error handling and no database manipulation.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or parameter manipulation in web logs

Network Indicators:

Unusual traffic patterns to /addproduct.php
SQL error messages in HTTP responses

SIEM Query:

source="web_logs" AND uri="/addproduct.php" AND (param="Category" AND value CONTAINS "' OR " OR "--" OR ";")

📊 Metadata

CVE ID: CVE-2025-11612

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 11, 2025

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/xmqaq/cve/issues/6 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.327942 Permissions Required,VDB Entry
https://vuldb.com/?id.327942 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.672775 Third Party Advisory,VDB Entry
https://github.com/xmqaq/cve/issues/6 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11612, you might also want to check these: