CVE Alert: CVE-2025-10565 – Campcodes – Grocery Sales and Inventory System

Risk verdict

High risk due to remote, unauthenticated SQL injection with a publicly disclosed exploit affecting a network-facing endpoint.

Why this matters

The flaw can enable data disclosure and tampering in the backend. For a grocery sales and inventory system, that could compromise stock integrity, order data, and customer information, leading to financial loss and reputational damage.

Most likely attack path

An attacker can directly target the network-facing AJAX endpoint and supply crafted ID values to trigger the SQL injection. No authentication or user interaction is required, so automated exploitation is plausible; public disclosure increases likelihood of use, with impact tied to the database that the application communicates with.

Who is most exposed

deployments that expose the web interface to the internet—common for on-premises or hosted setups used by small to midsize retailers—are at greatest risk.

Detection ideas

• SQL errors or abnormal responses from the vulnerable endpoint in app logs.
• Bursts of requests with varied or unusual IDs to delete_receiving.
• Anomalous DB queries: long-running or unexpected data access patterns.
• IDS/IPS alerts for SQL injection patterns targeting this endpoint.
• Unexplained stock or order data changes following access attempts.

Mitigation and prioritisation

• Apply the vendor patch or upgrade to the fixed version.
• Enforce parameterised queries, input validation, and ensure ID is strictly numeric.
• Restrict or disable the vulnerable endpoint; require authentication and CSRF protection.
• Apply least-privilege database accounts and network segmentation.
• Enhance logging, detection, and perform staged testing before production deployment.
• If KEV true or EPSS ≥ 0.5, treat as priority 1; otherwise, prioritise as high.