CVE Alert: CVE-2025-12339 - Campcodes - Retro Basketball Shoes Online Store

CVE-2025-12339

HIGHNo exploitation knownPoC observed

A security vulnerability has been detected in Campcodes Retro Basketball Shoes Online Store 1.0. This issue affects some unknown processing of the file /admin/admin_football.php. The manipulation of the argument pid leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Retro Basketball Shoes Online Store

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-28T00:32:09.124Z

Updated

2025-10-28T14:19:46.571Z

References

https://vuldb.com/?id.330126

https://vuldb.com/?ctiid.330126

https://vuldb.com/?submit.674493

https://github.com/HYLCXH/CVE/issues/17

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

Urgent risk: publicly disclosed exploit with a PoC available, enabling remote SQL injection without authentication.

Why this matters

An unauthenticated injection on the admin backend can expose sensitive customer and order data, permit data tampering, or enable further compromise of the store’s database. In small to mid-size shops, such access can devastate trust, disrupt orders, and facilitate financial fraud or data exfiltration.

Most likely attack path

Remote, no-privilege-required exploitation targets /admin/admin_football.php via the pid parameter. The attacker can leverage a stored or inline SQL injection to read/modify data, with the impact limited to the database but potentially enabling follow-on access to the app server. No user interaction needed makes automated scanning viable; a misconfigured or publicly exposed admin endpoint raises exposure.

Who is most exposed

E-commerce sites with publicly reachable admin panels on standard LAMP/MEAN stacks are at highest risk, especially where admin paths are not MFA-protected or IP-restricted and where input handling relies on concatenated SQL.

Detection ideas

Alerts for suspicious pid payloads and SQLi patterns to admin_football.php
Increased HTTP 500/DB error responses or unusual DB error codes in web logs
Sudden spikes in requests to the admin path from diverse IPs
WAF signatures triggering on classic SQLi payloads (UNION/SELECT, tautologies)
Indicators of data exfiltration attempts in database access logs

Mitigation and prioritisation

Apply vendor patch or upgrade to fixed version; verify patch in staging before production
Enforce parameterised queries and strict input validation on pid
Harden admin access: IP allowlisting, MFA, VPN access, and disable internet exposure if feasible
Deploy WAF rules to block SQLi patterns; enable comprehensive logging and alerting
Change-management: perform code review, regression testing, and gradual rollout with active monitoring
KEV/EPSS data unavailable here; if KEV true or EPSS ≥ 0.5, treat as priority 1

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: campcodes, CVE, cve-2025-12339, OSINT, retro-basketball-shoes-online-store, threatintel