CVE-2025-10030 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the processing of the /ajax.php?action=save_receiving endpoint, specifically through manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw without requiring authentication or user interaction. By injecting malicious SQL code into the 'ID' argument, the attacker can manipulate backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The vector metrics show that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), suggesting that while the vulnerability can lead to some data compromise or disruption, it may not result in full system takeover or widespread denial of service. No patches or fixes have been linked yet, and although the exploit code is publicly available, there are no confirmed reports of active exploitation in the wild. This vulnerability is critical for organizations using the affected version of the Campcodes system, as grocery sales and inventory systems typically hold sensitive business data and transactional records. Attackers exploiting this vulnerability could gain unauthorized access to sales data, inventory levels, supplier information, or customer details, potentially leading to financial losses, reputational damage, and regulatory compliance issues.

For European organizations, the impact of this vulnerability can be significant, especially for small to medium-sized enterprises (SMEs) in the retail and grocery sectors that rely on Campcodes Grocery Sales and Inventory System version 1.0. Unauthorized access or manipulation of sales and inventory data could disrupt supply chain operations, cause financial discrepancies, and lead to incorrect stock management. This could result in lost sales, customer dissatisfaction, and operational downtime. Furthermore, exposure of sensitive customer or supplier information could violate GDPR requirements, leading to legal penalties and loss of customer trust. The medium severity rating suggests that while the vulnerability may not allow full system compromise, it still poses a tangible risk to data confidentiality and integrity. European organizations with interconnected IT environments might also face cascading effects if attackers use this vulnerability as a foothold to pivot to other internal systems. Given the public availability of exploit code, the risk of opportunistic attacks increases, emphasizing the need for timely mitigation.

Specific mitigation steps for European organizations include: 1) Immediate review and restriction of access to the /ajax.php?action=save_receiving endpoint, ideally limiting it to trusted internal networks or VPNs. 2) Implement input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. If source code modification is not feasible, consider deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter. 3) Conduct thorough security testing and code audits of the Campcodes system to identify and remediate similar injection points. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Engage with the vendor (Campcodes) to obtain patches or updates; if none are available, consider upgrading to a newer, secure version when released. 6) Educate IT and security teams about this vulnerability and ensure incident response plans include steps for SQL injection attack scenarios. 7) Regularly back up critical sales and inventory data to enable recovery in case of data tampering or loss.