CVE Alert: CVE-2025-9691 - Campcodes - Online Shopping System

CVE-2025-9691

HIGHNo exploitation known

A vulnerability has been found in Campcodes Online Shopping System 1.0. This impacts an unknown function of the file /login.php. Such manipulation of the argument Password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Shopping System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-08-30T14:02:06.639Z

Updated

2025-08-30T14:02:06.639Z

References

https://vuldb.com/?id.321903
https://vuldb.com/?ctiid.321903
https://vuldb.com/?submit.638843
https://github.com/lrjbsyh/CVE_Hunter/issues/6
https://github.com/lrjbsyh/CVE_Hunter/issues/6#issue-3339330450
https://www.campcodes.com/

AI Summary Analysis

Risk verdict

Remote unauthenticated SQL injection on the login page with publicly disclosed exploit; treat as high urgency due to available public tooling.

Why this matters

An attacker can exfiltrate or modify user data and credentials, potentially gaining unauthorised access to accounts or admin functions. The vulnerability enables automated exploitation at scale, risking direct financial or personal data leakage and undermining customer trust.

Most likely attack path

Exploitation requires no user interaction (UI:N) and conditioned only on remote access (AV:N) with low complex authentication (PR:N). An attacker can send crafted input to login.php’s Password parameter, triggering a SQLi that may return data or alter DB state (C:L/I:L/A:L). Given the high impact of data exposure and possible account takeover, successful exploitation could pave the way for further footholds within the application’s data layer.

Who is most exposed

Web-facing Campcodes Online Shopping System 1.0 on PHP/MySQL stacks; typical deployments include small to mid-size retailers with internet-exposed login endpoints and standard hosting configurations.

Detection ideas

WAF or IDS alerts for SQLi patterns targeting login.php
Logs showing SQL syntax errors or unusual query structures in login attempts
Spike in failed login attempts followed by data-access errors
Unusual data retrieval from user or credentials-related tables
Anomalous login activity from new geographies or bursts of requests

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version; verify in a test environment before release
Enforce parameterised queries and prepared statements; review login/auth code paths
Disable verbose error messages; return generic authentication failures
Enable WAF rules to block SQLi and monitor for repeat patterns
Implement MFA, account lockouts after failed attempts, and rotate DB credentials
Conduct targeted change-management; perform post-deployment monitoring of authentication flows

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-9691, online-shopping-system, OSINT, threatintel

CVE Alert: CVE-2025-9691 – Campcodes – Online Shopping System