CVE Alert: CVE-2025-10564 – Campcodes – Grocery Sales and Inventory System

Risk verdict

High risk due to a publicly disclosed, unauthenticated remote SQL injection with PoC availability.

Why this matters

Exploitation could lead to data disclosure or modification within the vulnerable database and undermine inventory, orders, or customer data processes. The public exploit increases the likelihood of mass scans and automated attempts targeting this flaw.

Most likely attack path

Remote attacker sends a crafted ID in the vulnerable AJAX request without needing credentials or user interaction. With low attack complexity and network access, an attacker could potentially enumerate or exfiltrate data within the affected scope; the impact remains confined to the application DB unless compounded by weak DB privileges.

Who is most exposed

Web deployments of the affected application in typical SME environments (shared hosting or self-hosted LAMP stacks) are most at risk, especially where input is not parameterised and the delete_category action is accessible without strong auth.

Detection ideas

• Unexpected or error-rich responses in web/app logs from delete_category requests with varied IDs
• Repeated, unauthenticated requests to the endpoint showing SQL payload patterns
• Anomalous DB query activity or long-running queries tied to the endpoint
• WAF/IDS alerts for SQL injection signatures targeting id parameters
• Elevated error rates after specific parameter values

Mitigation and prioritisation

• Apply patch or upgrade to patched version; if unavailable, implement strict input handling and parameterised queries
• Enforce least-privilege DB accounts and disable or tightly restrict the affected action
• Implement input validation, prepared statements, and server-side sanitisation
• Add web-app firewall rules and monitor for anomalous delete_category activity
• Change-management: test in staging before production rollout; verify logs for post-deploy anomalies
• Note: if KEV true or EPSS ≥ 0.5, treat as priority 1.