A stored cross‑site scripting vulnerability exists in the contact.php script of the Online Food Ordering System. The system accepts user input via the "Name" argument and echoes it back without proper sanitization, allowing an attacker to insert malicious scripts that will run in the browsers of any user viewing the affected page. The flaw is classified as CWE‑79 and can be triggered by sending a crafted request. The attack leverages the web application’s ability to store and display user-provided data, and the vulnerability can be triggered from any remote host that can reach the application. The publicly available exploit demonstrates that no special privileges or credentials are required. The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available. The flaw is not listed in CISA’s KEV catalog, yet the presence of a public exploit and the ability to inject scripts remotely mean that exposed installations are at risk of defacement, data theft, or session hijacking.

The affected product is the Online Food Ordering System 1.0 from code‑projects. The issue resides in the file /dbfood/contact.php, specifically where the "Name" form field is processed and displayed. No additional version information is available beyond the stated 1.0 release.

Given the moderate CVSS score and the lack of EPSS data, the risk is considered significant due to the remote nature of the attack and the availability of a public exploit. Attackers can compromise the integrity of the web page, execute arbitrary JavaScript, and potentially affect the confidentiality of user data.