SourceCodester Online Food Ordering System v1.0 is vulnerable to a critical SQL injection flaw that could allow an attacker to compromise the underlying database.

This vulnerability is a SQL Injection located in the admin/view_product.php file. An attacker can manipulate the id parameter to execute arbitrary SQL commands against the database, potentially targeting administrative interfaces.

Successful exploitation of this vulnerability could lead to total loss of confidentiality, integrity, and availability of the application's data. Given the CVSS score of 9.8, an attacker could extract sensitive user information, modify menu data, or gain full administrative control over the food ordering platform, resulting in significant operational disruption and reputational damage.

Immediate Action: Administrators should immediately update the software to the latest available version or apply custom patches to sanitize the id parameter using prepared statements.

Proactive Monitoring: Monitor web server access logs for unusual characters or SQL keywords (e.g., SELECT, UNION, SLEEP) within the URL parameters of the admin/ directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) with active SQL injection protection rules to filter malicious traffic targeting the vulnerable PHP scripts.

Public Exploit Available: false

This vulnerability represents a critical risk to the data integrity of the Online Food Ordering System. It is highly recommended that the application be taken offline or patched immediately to prevent unauthorized database access. Prioritize the implementation of parameterized queries to eliminate the root cause of the injection.