CVE Alert: CVE-2025-9794 - Campcodes - Computer Sales and Inventory System

CVE-2025-9794

HIGHNo exploitation known

A flaw has been found in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/pos_transac.php?action=add. Executing manipulation of the argument cash/firstname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. Other parameters might be affected as well.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Computer Sales and Inventory System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-01T20:32:07.651Z

Updated

2025-09-01T20:32:07.651Z

References

https://vuldb.com/?id.322109

https://vuldb.com/?ctiid.322109

https://vuldb.com/?submit.641103

https://vuldb.com/?submit.642559

https://github.com/Yuanwennnn/cve/issues/2

https://github.com/e1evensu/cve/issues/1

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a published exploit and PoC indicators; exploitation is plausible without authentication.

Why this matters

An attacker can read, modify or corrupt database data and potentially exfiltrate sensitive information. Given the availability impact noted in the CVSS metrics, a successful exploit could disrupt sales transactions and inventory integrity, with downstream effects on finance and customer trust.

Most likely attack path

Unauthenticated remote attacker targets the PHP endpoint /pos_transac.php?action=add, injecting via the cash/firstname parameter (and possibly other inputs). Network-vector, low attack complexity, and no UI interaction required increase the chance of automated probing and exploitation, risking confidentiality, integrity and availability of the database. With no privilege requirements and network access, lateral movement within the application or adjacent data stores is feasible if the database is reachable from the web tier.

Who is most exposed

Web applications with PHP backends hosting sales/inventory modules, especially on internet-facing or poorly segmented environments, are most at risk. Organisations running this class of system in small-to-mid scale setups or hosted on shared infrastructure are common exposure patterns.

Detection ideas

Anomalous requests to pos_transac.php?action=add with unusual cash/firstname payloads.
SQL error messages or stack traces in application or DB logs.
WAF/IDS alerts for SQL injection patterns targeting input fields.
Unexpected data changes in orders, payments, or inventory tables.
Sudden spikes in DB query latency or CPU on the web/app server.

Mitigation and prioritisation

Apply vendor patch or upgrade to patched release; if unavailable, implement strong input validation and use parameterised queries/stored procedures.
Deploy or tune a Web Application Firewall to block SQL injection patterns at the input layer.
Enforce least privilege on the web-facing DB account; tighten network segmentation between web tier and database.
Add monitoring/alerting for SQL errors and anomalous data modifications; implement change-management testing in staging.
Conduct a focused patch window and rollback plan; verify no dependent services are impacted.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, computer-sales-and-inventory-system, CVE, cve-2025-9794, OSINT, threatintel