CVE Alert: CVE-2025-10031 - Campcodes - Grocery Sales and Inventory System

CVE-2025-10031

HIGHNo exploitation known

A security vulnerability has been detected in Campcodes Grocery Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Grocery Sales and Inventory System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-06T12:02:06.018Z

Updated

2025-09-06T12:02:06.018Z

References

https://vuldb.com/?id.322746

https://vuldb.com/?ctiid.322746

https://vuldb.com/?submit.643951

https://github.com/zzb1388/cve/issues/71

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk. Public, unauthenticated SQL injection via a remote endpoint with a disclosed exploit suggests active exploitation potential.

Why this matters

Attackers can read, alter, or delete sensitive sales and inventory data, potentially impacting revenue, stock accuracy, and customer trust. The ability to manipulate the ID parameter remotely enables data disclosure and integrity risks without user interaction, raising the likelihood of automated scanning and abuse.

Most likely attack path

An attacker can directly request the vulnerable endpoint /ajax.php?action=delete_sales with a crafted ID, exploiting SQL injection to access or modify the backend database. With no authentication or user interaction required, preconditions are minimal (network access to the app, input not sanitised). Impact can occur on confidentiality, integrity, and availability of the data, and the unchanged scope implies potential database-wide effects if the app utilises the compromised DB account across modules.

Who is most exposed

Retailers running Campcodes Grocery Sales and Inventory System 1.0, especially those exposed to the internet or hosted on shared environments, are most at risk. Small businesses relying on this single web endpoint for critical operations are particularly vulnerable.

Detection ideas

Alerts for requests to /ajax.php?action=delete_sales with unusual or non-numeric IDs.
SQL error messages or abnormal database responses in app logs.
Anomalous spikes in delete_sales endpoint traffic or rapid success/failure patterns.
WAF signatures for generic SQLi payloads targeting the ID parameter.
DB query logs showing concatenated SQL fragments or unexpected permissions.

Mitigation and prioritisation

Patch or upgrade to a fixed version; implement vendor-provided fix promptly.
Apply input validation and parameterised queries for all endpoints, especially delete_sales.
Require authentication and least-privilege access for the endpoint; remove unnecessary public exposure.
Deploy WAF rules to block common SQLi patterns and monitor for anomalous payloads.
Implement change-management practices and verify backups; if KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10031, grocery-sales-and-inventory-system, OSINT, threatintel