SourceCodester Online Food Ordering System ajax.php sql injection

Vulnerability

A SQL injection vulnerability exists in the /admin/ajax.php?action=add_to_cart endpoint of SourceCodester Online Food Ordering System version 2.0 [1]. The flaw is in the handling of the pid POST parameter, which is used directly in SQL queries without proper sanitization or validation. This allows an attacker to inject arbitrary SQL commands. No authentication is required to reach this code path [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to /admin/ajax.php?action=add_to_cart with a malicious pid parameter [1]. Proof-of-concept details have been publicly disclosed, including time-based blind SQL injection payloads using AND (SELECT * FROM (SELECT(SLEEP(n)))...) to extract data or perform other database operations [1]. No special network position or user interaction is needed; the attack can be launched remotely over HTTP.

Impact

Successful exploitation allows the attacker to gain unauthorized access to the underlying database. This can lead to data leakage (sensitive information such as credentials or orders), data tampering, privilege escalation within the application, and potentially full system control depending on database permissions [1]. The vulnerability is rated critical due to the low complexity and high potential for compromise.

Mitigation

As of publication, no official patch from the vendor has been released for Online Food Ordering System version 2.0 [1]. The affected version is listed as V2.0 on SourceCodester [1][2]. Until a fix is provided, users should apply input validation and parameterized queries to the pid parameter in /admin/ajax.php, and consider restricting access to the admin panel via network-level controls or a web application firewall (WAF). This CVE is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog.