CVE Alert: CVE-2025-12337 – Campcodes – Retro Basketball Shoes Online Store

Risk verdict

High risk: publicly disclosed SQL injection on a remote admin endpoint with a PoC available; immediate attention needed.

Why this matters

An attacker could exploit the injection to read or modify data from the store’s database, potentially exposing customer information or order details and tampering with records. With remote, unauthenticated access and public exploit guidance, automated scanning and exploitation are plausible across exposed deployments.

Most likely attack path

An attacker targets the /admin/admin_feature.php endpoint, sending crafted pid values to trigger SQL injection. No user interaction is required, and the flaw could yield data disclosure or modification within the application’s database. The impact remains within the same scope (no broader system compromise) but can enable credential leakage or admin-level data access if the DB is misconfigured.

Who is most exposed

Public-facing ecommerce platforms with internet-accessible admin interfaces and insufficient input sanitisation are at highest risk, particularly smaller stores that may lack robust WAFs or strict endpoint access controls.

Detection ideas

• Look for suspicious pid parameters containing SQL syntax or unusual payloads in access logs to admin_feature.php.
• Monitor for SQL error messages or database errors emerging from the admin endpoint.
• Spike in requests to the admin page without user authentication or unusual user-agent strings.
• WAF/IPS alerts for SQL injection patterns against the admin feature.
• Anomalous data access events tied to the store database from the web tier.

Mitigation and prioritisation

• Apply the vendor patch or upgrade to fixed code; switch to parameterised queries for pid.
• Implement input validation to constrain pid (e.g., numeric only) and use prepared statements.
• Harden access to admin endpoints: require authentication, MFA, and IP allowlisting; minimise internet exposure.
• Disable verbose error messages and enforce strict error handling to prevent data leakage.
• Enable targeted monitoring and alerting on admin_feature.php; perform a controlled security-scan and regression testing in a staging environment. Coordinate patching with change management and rollback plans.