CVE-2026-4844
SQL Injection in Online Food Ordering Admin Login Module
Publication date: 2026-03-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_food_ordering_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4844 is a critical pre-authentication time-based blind SQL injection vulnerability in the Online Food Ordering System 1.0 by code-projects.org. It exists in the /admin.php file, specifically in the "username" parameter of the admin login form, which is processed via a POST multipart/form-data request.
This vulnerability allows unauthenticated remote attackers to inject SQL code before any authentication checks occur, requiring no session cookies, credentials, or prior access.
The injection exploits the "username" parameter by appending a payload that uses MySQL's SLEEP() function to induce a time delay, confirming the vulnerability through measurable response delays.
The payload structure involves closing the original string, concatenating a nested SELECT statement that triggers the delay, and then reopening the string, enabling time-based blind SQL injection.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Enumeration and extraction of all administrative credentials, customer data, and order history.
- Authentication bypass to gain admin panel access without valid credentials using boolean-based payloads.
- Unauthorized data manipulation such as altering menu items, prices, and orders.
- Full database dumps using automated tools like sqlmap.
The impact is severe due to the lack of authentication requirements, direct targeting of the admin login, and the potential for full system compromise. Sensitive customer personally identifiable information (PII), payment data, and the integrity of the entire ordering system are at significant risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted POST requests to the /admin.php endpoint, targeting the "username" parameter with time-based blind SQL injection payloads. The detection relies on measuring response delays caused by the injected SQL SLEEP() function.
A typical detection command involves using tools like curl or automated SQL injection tools such as sqlmap to send payloads that cause a delay in the server response if the vulnerability is present.
- Example curl command to test the vulnerability by injecting a time delay payload in the username parameter:
- curl -X POST https://targetsite/admin.php -F "username=admin' AND (SELECT IF(SLEEP(5),1,0))-- " -F "password=any"
- If the response time is significantly delayed (e.g., 3 to 5 seconds), it indicates the presence of the SQL injection vulnerability.
- Alternatively, use sqlmap to automate detection and exploitation:
- sqlmap -u https://targetsite/admin.php --data="username=admin&password=any" --method=POST --technique=T --time-sec=5
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the /admin.php endpoint by IP whitelisting or VPN to limit exposure to trusted users only.
- Implement input validation and parameterized queries or prepared statements in the admin login module to prevent SQL injection.
- Apply web application firewall (WAF) rules to detect and block SQL injection payloads targeting the username parameter.
- Monitor server logs for unusual delays or suspicious POST requests to /admin.php.
- If possible, temporarily disable the admin login module or restrict its functionality until a patch or fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to perform SQL injection on the admin login module, potentially leading to unauthorized access to administrative credentials, customer data, and order history.
The exposure and potential manipulation of sensitive customer personally identifiable information (PII) and payment data pose significant risks to compliance with data protection regulations such as GDPR and HIPAA.
Organizations using the affected system may fail to meet requirements for protecting sensitive data, maintaining data integrity, and preventing unauthorized access, which are core principles of these standards.