CVE Alert: CVE-2025-10413 - Campcodes - Grocery Sales and Inventory System

CVE-2025-10413

HIGHNo exploitation knownPoC observed

A vulnerability has been found in Campcodes Grocery Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=delete_customer. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Grocery Sales and Inventory System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-14T22:02:07.546Z

Updated

2025-09-15T17:18:51.422Z

References

https://vuldb.com/?id.323847

https://vuldb.com/?ctiid.323847

https://vuldb.com/?submit.646969

https://github.com/zzb1388/cve/issues/82

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk with publicly disclosed PoC and an active exploit path; treat as priority 1 due to KEV/exploitation indicators.

Why this matters

Unauthenticated remote SQL injection via a web AJAX endpoint can disclose or manipulate database contents, enabling data exposure or tampering. The availability of a PoC and public exploit increases the likelihood of automated exploits targeting exposed instances, risking customer data and business operations.

Most likely attack path

An attacker sends crafted input to a remote web endpoint that processes an action parameter, triggering a SQL injection without authentication. The impact remains partial (confidentiality, integrity, availability) per CVSS, but attacker capability is high due to no user interaction and network access.

Who is most exposed

Small to mid-size deployments hosting web-facing ERP/retail systems with an unauthenticated AJAX interface are at greatest risk, especially if they lack input validation, parameterised queries, or WAF protection.

Detection ideas

Unexpected SQL errors or abnormal database error messages in logs.
Anomalous requests to the AJAX endpoint with suspicious ID values (e.g., SQL syntax, UNION/SELECT payloads).
Unusual query patterns or data exfiltration indicators in database logs.
Increased 500/DB error rates following specific endpoint calls.
WAF alerts for SQLi-like signatures on the affected endpoint.

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed release; if unavailable, implement immediate input validation and parameterised queries; disable or harden the vulnerable endpoint where feasible.
Enable a web application firewall with SQLi signatures and custom rules for the endpoint.
Restrict access to the management interface and segregate networks; enforce least privilege DB credentials.
Establish robust monitoring, backups, and an incident response runbook; schedule a rapid patch window and verify post-deployment integrity.
If KEV/Exploitation indicators exist, treat as priority 1 and escalate to rapid remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10413, grocery-sales-and-inventory-system, OSINT, threatintel