CVE Alert: CVE-2025-10563 - Campcodes - Grocery Sales and Inventory System

CVE-2025-10563

HIGHNo exploitation knownPoC observed

A vulnerability has been found in Campcodes Grocery Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_category. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Grocery Sales and Inventory System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-16T20:02:07.584Z

Updated

2025-09-16T20:28:06.373Z

References

https://vuldb.com/?id.324477

https://vuldb.com/?ctiid.324477

https://vuldb.com/?submit.646977

https://github.com/zzb1388/cve/issues/76

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a publicly disclosed PoC, enabling attacker access without credentials.

Why this matters

An attacker could read or modify database content, potentially exposing customer data and inventory records. The flaw’s remote nature combined with a PoC increases the window for automated exploitation and may enable downstream disruption of operations.

Most likely attack path

Attacker can target the publicly accessible /ajax.php?action=save_category endpoint without authentication (network vector, low complexity, no UI interaction). Successful injection could leak or alter data (C and I impacts shown as limited) with no privilege escalation required and a single scope change risk, enabling targeted data exfiltration or tampering in the affected store’s DB.

Who is most exposed

Small to medium retail deployments running Campcodes Grocery Sales and Inventory System v1.0 with publicly reachable web interfaces—often on on-prem or inexpensive hosting—are most at risk, especially if they lack prompt patching and secure DB credentials.

Detection ideas

Logs show SQL error messages or abnormal responses from ajax.php?action=save_category.
Suspicious requests with crafted id parameters triggering anomalies (e.g., unusual length or payloads).
Increased 500/502 or SQL error codes for the endpoint.
WAF alerts for SQLi signatures in this path.
DB user activity spikes from the web app account.

Mitigation and prioritisation

Apply any available patch or upgrade to a non-vulnerable release; implement vendor-supplied fixes promptly.
Implement input validation and use prepared statements / parameterised queries in the affected code path.
Enforce least privilege for the web app’s DB user; disable unnecessary DB features.
Add Web Application Firewall rules to block SQLi payloads targeting this endpoint; monitor for repeated attempts.
Change-management: test fixes in a staging environment before production; document remediation timing. If KEV is true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10563, grocery-sales-and-inventory-system, OSINT, threatintel