A critical SQL injection vulnerability in SourceCodester Online Food Ordering System v1.0 allows for unauthorized database manipulation through the administrative product management interface.

The admin/manage_product.php file fails to properly sanitize the id parameter, leading to a SQL Injection vulnerability. This flaw resides within the administrative module, potentially allowing an attacker to bypass authentication or escalate privileges.

The impact of this vulnerability is severe, as reflected by its CVSS score of 9.8. An attacker can gain unauthorized access to the database, leading to the theft of customer records or the alteration of financial and product data. Such a breach would likely result in system downtime and a loss of customer trust in the platform's security.

Immediate Action: Immediately update the Online Food Ordering System to the latest version or manually implement input validation and parameterized queries for the id parameter in manage_product.php.

Proactive Monitoring: Review database logs for unauthorized query executions and audit administrative account activity for signs of hijacking or credential misuse.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect and block malicious payloads containing SQL syntax targeting the administrative subdirectories.

Public Exploit Available: false

The severity of a 9.8 CVSS score necessitates immediate remediation. Organizations using this software must apply security updates or move the administrative interface behind a strictly controlled VPN or IP-allowlist to mitigate the risk of remote exploitation.