CVE Alert: CVE-2025-12338 – Campcodes – Retro Basketball Shoes Online Store
CVE-2025-12338
A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. This vulnerability affects unknown code of the file /admin/admin_product.ph. Executing manipulation of the argument pid can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
High risk: a publicly exploitable remote SQL injection vulnerability with a PoC available and automation possible, enabling rapid exploitation against the admin interface.
Why this matters
An attacker could read or modify data from the application’s database with no user interaction or privileges required, potentially exfiltrating customer data or altering product information. Given the critical exposure of an admin-facing endpoint, successful exploitation may enable further privilege abuse or data integrity issues, impacting revenue and trust.
Most likely attack path
No authentication required and network-based access makes exploitation feasible from attacker-controlled hosts. An attacker need only craft the vulnerable parameter input to trigger, manipulate, or time database responses, then escalate data access or alter records. Privilege and scope implications are limited by the targeted DB permissions, but any read/write access to user or inventory data is plausible.
Who is most exposed
E-commerce platforms with publicly reachable admin panels and basic input handling are at risk. Small to mid-sized shops using custom admin tooling without robust input handling or parameterised queries are especially exposed.
Detection ideas
- Unusual requests to the admin endpoint with suspicious pid-like payloads (e.g., quotes, union-based patterns).
- SQL error strings or database-related exceptions in web/app logs.
- Abrupt spikes in admin-page latency or 500s following targeted requests.
- WAF/signature alerts for SQLi patterns on admin paths.
- Anomalous read/write activity on user, order, or product tables.
Mitigation and prioritisation
- Apply available patch or upgrade to patched/admin component; verify with vendor guidance.
- Enforce input validation and parameterised queries; restrict admin access to trusted networks; enable MFA for admins.
- Implement least privilege DB user accounts; monitor and log all admin-level DB queries.
- Deploy or tune WAF rules to block common SQLi patterns targeting admin paths.
- Plan a controlled patch window with staging validation; verify no breaking changes before production rollout.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
