CVE Alert: CVE-2025-12336 – Campcodes – Retro Basketball Shoes Online Store
CVE-2025-12336
A vulnerability was identified in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_index.php. Such manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
AI Summary Analysis
Risk verdict
High risk due to a remotely exploitable SQL injection in the admin interface with publicly available PoC; exploitation is feasible without authentication.
Why this matters
Public PoC and remote access enable opportunistic attackers to dump or modify customer data and potentially seize admin privileges, undermining data integrity and trust. The business impact includes data exposure, regulatory risk, and potential disruption of online sales.
Most likely attack path
An attacker targets the internet-facing admin_index.php, supplies crafted Username data, and triggers SQL injection without user interaction. The breach could lead to data exfiltration or integrity compromise, with low preconditions for initial access but high potential impact on the storefront database (Scope unchanged).
Who is most exposed
Small to mid-size e-commerce sites with publicly accessible admin panels on PHP/MySQL stacks; deployments lacking input validation and parameterised queries are particularly at risk.
Detection ideas
- Web server logs show anomalous requests to admin_index.php with SQL-like payloads.
- Database logs reveal suspicious queries originating from the admin interface.
- WAF/IDS alerts for classic SQLi patterns on the admin endpoint.
- Frequent failed or unusual authentication/validation activity around the admin area.
- Post-exploitation indicators such as unexpected data exports from the store database.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version; if unavailable, implement strict input validation and parameterised queries around the admin endpoint.
- Deploy compensating controls: WAF rules targeting SQLi, IP allowlisting for admin UI, and disable remote access if feasible.
- Harden the store with least-privilege DB accounts and rotate credentials after patching.
- Schedule testing in staging, then deploy with change management and monitoring.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1; data here is lacking these indicators—obtain KEV and EPSS values to refine prioritisation.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
