CVE Alert: CVE-2025-10415 - Campcodes - Grocery Sales and Inventory System

CVE-2025-10415

HIGHNo exploitation knownPoC observed

A vulnerability was determined in Campcodes Grocery Sales and Inventory System 1.0. This affects an unknown function of the file /ajax.php?action=save_supplier. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Grocery Sales and Inventory System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-14T23:02:06.430Z

Updated

2025-09-15T17:17:10.852Z

References

https://vuldb.com/?id.323849

https://vuldb.com/?ctiid.323849

https://vuldb.com/?submit.646971

https://github.com/zzb1388/cve/issues/80

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: remote exploitation is viable with publicly disclosed PoC and automation potential; assess and patch urgently.

Why this matters

An attacker could read or alter supplier data, potentially leaking confidential information and corrupting inventory records. The impact scales to financial inaccuracies, supply chain disruption, and regulatory or customer trust penalties if data integrity or availability is affected.

Most likely attack path

The vulnerability is network-accessible with no required user interaction or privileges, enabling remote exploitation via the ID parameter. Leveraging a basic injection flow, an attacker could exfiltrate or modify data with low attacker effort, and could chain into subsequent flaws if the database or app layer trusts manipulated inputs. Scope is likely unchanged, with limited impact on other components unless database/ORM permissions are weak.

Who is most exposed

Publicly reachable deployments of the Campcodes Grocery Sales and Inventory System (especially version 1.0) hosted on internet-connected servers or shared hosting. Organisations not applying updates or with insufficient input sanitisation are most at risk.

Detection ideas

Logs showing unusual requests to /ajax.php?action=save_supplier with atypical ID values.
SQL error messages or database query failures originating from the affected endpoint.
Sudden spikes in failed authentication-independent database operations.
Known PoC or exploit-IOCs appearing in network or application logs.
Anomalous data changes to supplier records without normal workflows.

Mitigation and prioritisation

Apply available patch or upgrade to fixed version; verify vendor advisories.
Implement parameterised queries and strong input validation around ID in the affected endpoint.
Introduce Web Application Firewall rules to detect and block suspicious ID payloads targeting the endpoint.
Restrict exposure of the endpoint (IP allowlisting, authentication gates, or network segmentation).
Initiate rapid change-management to test fixes in staging and deploy to production; monitor post-patch for anomalies.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10415, grocery-sales-and-inventory-system, OSINT, threatintel