CVE Alert: CVE-2025-11604 – projectworlds – Online Ordering Food System

Risk verdict

High risk: remote, unauthenticated SQL injection with a publicly disclosed exploit makes active exploitation plausible.

Why this matters

This can expose customer data and orders, undermine data integrity, and disrupt ordering operations. For organisations using the product, reputational harm and potential regulatory exposure are likely if sensitive information is leakage or modification occurs.

Most likely attack path

An attacker targets the web-facing /all-orders.php endpoint, supplying a crafted Status parameter to trigger a SQL injection. With network access and no user interaction required, the attacker can read or alter data from the backend DB (C/L I/L A:L), enabling data exfiltration or manipulation and potential further abuse of the application.

Who is most exposed

Any deployment of the Projectworlds Online Ordering Food System 1.0 that is publicly reachable over the internet is at risk—typical in small to mid-sized shops running web-hosted PHP stacks with shared DB credentials.

Detection ideas

• Look for unusual or unauthorised SQL patterns in access logs to all-orders.php
• Anomalous query lengths or error messages referencing database schema
• spikes in GET/POST requests containing Status-like parameters
• increased DB query latency or 500 errors following requests to /all-orders.php
• evidence of data reads from the orders table outside normal workflow

Mitigation and prioritisation

• Apply vendor patch or upgrade to a fixed version; ensure all input is parameterised (prepared statements)
• Revoke or least-privilege the DB account used by the web app; disable dynamic query construction
• Implement input validation and query whitelisting for Status parameter; add WAF rules to block SQL patterns
• Audit and monitor for data exfiltration; enable enhanced logging on access to orders data
• Change management: deploy in staging first, then rolling production update with validation