CVE-2025-2387
Published: 17 March 2025
Summary
CVE-2025-2387 is a high-severity Injection (CWE-74) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating the 'pid' argument in /admin/ajax.php?action=add_to_cart before database processing.
Ensures timely patching and remediation of the specific SQL injection flaw in the Online Food Ordering System.
Deploys boundary protection such as a web application firewall to block malicious SQL payloads targeting the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application (/admin/ajax.php) enables initial access via exploitation (T1190) and unauthorized database queries for data collection (T1213.006).
NVD Description
A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been classified as critical. Affected is an unknown function of the file /admin/ajax.php?action=add_to_cart. The manipulation of the argument pid leads to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2387 is a critical SQL injection vulnerability in SourceCodester Online Food Ordering System 2.0, affecting an unknown function within the file /admin/ajax.php?action=add_to_cart. The issue arises from manipulation of the 'pid' argument, allowing attackers to inject malicious SQL payloads. It is assigned CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the application's database.
Advisories from VULDB (ctiid.299886, id.299886, submit.516681) and a GitHub issue (aionman/cve/issues/9) detail the vulnerability and confirm the public disclosure of an exploit. The vendor site at sourcecodester.com hosts the affected software, where practitioners should check for updates or patches. No specific mitigation steps are outlined in the primary description, emphasizing the need to review referenced sources promptly.
The exploit has been publicly disclosed and may be actively used, urging immediate scanning and patching of exposed instances.
Details
- CWE(s)