An unauthenticated SQL Injection vulnerability in the cancel-order.php component of Simple Food Order System v1.0 allows for complete database compromise.

The vulnerability is located in /food/routers/cancel-order.php. The application fails to properly validate or escape user input before including it in SQL queries, allowing an unauthenticated attacker to manipulate database operations.

A successful attack could result in the deletion of order records, theft of user data, or administrative credential harvesting. The CVSS score of 9.8 reflects the critical nature of this flaw and the potential for significant business disruption and data loss.

Immediate Action: Update the software to a patched version or implement parameterized queries in /food/routers/cancel-order.php to neutralize the injection vector.

Proactive Monitoring: Review application access logs for suspicious parameters sent to the cancel-order.php endpoint, particularly those containing SQL keywords.

Compensating Controls: Implement a WAF to detect and drop requests containing SQL injection signatures and enforce strict input validation at the application entry points.

Public Exploit Available: No

Given the critical CVSS score, this vulnerability must be addressed immediately. Developers and administrators should ensure that all database interactions are secured using modern coding practices to prevent unauthorized data manipulation.