SourceCodester Online Food Ordering System version 1.0 contains a flaw in the admin/view_product.php page where the id parameter is inserted directly into a SQL query without validation or sanitisation. This allows an attacker to manipulate the underlying database query, potentially extracting sensitive data such as product details, orders or customer information, and even altering or deleting records. The vulnerability is a classic SQL injection (CWE‑89) that compromises database confidentiality and integrity.

The vulnerability affects the Online Food Ordering System v1.0, a web application for ordering food developed by oretnom23, specifically within the admin/view_product.php endpoint. No other versions or components are referenced; thus the risk applies only to this product version.

The CVSS base score of 9.8 signals a critical severity, yet the EPSS score below 1% indicates a low probability of current exploitation, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending crafted HTTP requests to the vulnerable admin/view_product.php endpoint. Based on the description, it is inferred that access to this page is intended for administrators, so an attacker would normally need to bypass authentication or use compromised administrative credentials to reach it. Once accessed, the injection allows manipulation of the underlying database.