CVE-2025-2387 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2025-2387?

CVE-2025-2387 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in SourceCodester Online Food Ordering System 2.0 allows remote attackers to execute arbitrary SQL commands via the 'pid' parameter in the /admin/ajax.php endpoint. Attackers can potentially access, modify, or delete database content, including sensitive customer and order information. All deployments of version 2.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Online Food Ordering System 2.0 allows remote attackers to execute arbitrary SQL commands via the 'pid' parameter in the /admin/ajax.php endpoint. Attackers can potentially access, modify, or delete database content, including sensitive customer and order information. All deployments of version 2.0 are affected.

💻 Affected Systems

Products:

SourceCodester Online Food Ordering System

Versions: Version 2.0

Operating Systems: Any OS running PHP and MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of version 2.0 are vulnerable. The vulnerability exists in the core application code.

📦 What is this software?

Online Food Ordering System by Oretnom23

View all CVEs affecting Online Food Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, or remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information, order details, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

PHP

Implement strict input validation and parameterized queries for the 'pid' parameter in ajax.php

Modify /admin/ajax.php to use prepared statements: $stmt = $conn->prepare('INSERT INTO cart (pid) VALUES (?)'); $stmt->bind_param('s', $_POST['pid']);

Web Application Firewall Rules

all

Block SQL injection patterns targeting the /admin/ajax.php endpoint

WAF rule: deny requests to /admin/ajax.php containing SQL keywords like UNION, SELECT, INSERT, DELETE in parameters

🧯 If You Can't Patch

Block external access to /admin/ajax.php endpoint at network perimeter
Implement strict database user permissions with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Test the /admin/ajax.php endpoint with SQL injection payloads in the 'pid' parameter and observe database errors or unexpected behavior.

Check Version:

Check application version in admin panel or review source code for version markers.

Verify Fix Applied:

Attempt SQL injection after implementing fixes and verify no database errors or unauthorized data access occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to /admin/ajax.php with SQL keywords in parameters
Unexpected database queries from web application user

Network Indicators:

HTTP POST requests to /admin/ajax.php containing SQL injection patterns
Unusual database traffic patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/ajax.php" AND (param="pid" AND value MATCHES "(?i)(union|select|insert|delete|drop|--|#)")

📊 Metadata

CVE ID: CVE-2025-2387

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.12% exploit probability (31.3th percentile)

Published: March 17, 2025

Last Updated: May 28, 2025

🔗 References

https://github.com/aionman/cve/issues/9 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.299886 Permissions Required,VDB Entry
https://vuldb.com/?id.299886 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.516681 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2387, you might also want to check these: