Unauthenticated attackers can execute arbitrary SQL commands on the Online Food Ordering System database, leading to the full compromise of customer data and system credentials.

A SQL injection vulnerability exists in the Actions.php file. The application fails to properly sanitize user input provided to the "username" parameter during the save_customer action. This allows an unauthenticated attacker to inject malicious SQL commands directly into the database query.

Successful exploitation allows for the complete exfiltration of the customer database, including personally identifiable information (PII) and hashed passwords. Attackers may also be able to modify database records or gain administrative access to the application. The CVSS score of 9.8 indicates a critical risk to data integrity and confidentiality.

Immediate Action: Manually patch the Actions.php file to use prepared statements or parameterized queries for the save_customer action.

Proactive Monitoring: Review web server and database logs for common SQL injection patterns, such as single quotes, comments (--), or UNION SELECT statements in POST requests.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter malicious input to the Actions.php endpoint.

Public Exploit Available: false

Users of this system must apply manual code fixes immediately, as v1.0 is highly vulnerable to automated attacks. Transitioning to a more secure, actively maintained platform is strongly recommended for production environments handling sensitive customer information.