CVE-2025-10030 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability arises from improper sanitization or validation of the 'ID' parameter in the /ajax.php?action=save_receiving endpoint. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This can lead to unauthorized data disclosure, modification, or deletion, compromising the confidentiality, integrity, and availability of the system's data. The vulnerability requires no authentication or user interaction to exploit, making it accessible to remote attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a specialized inventory and sales management system used primarily by grocery retailers to manage stock and sales data.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a significant risk to business operations and data security. Successful exploitation could lead to unauthorized access to sensitive sales and inventory data, potentially exposing customer information, pricing strategies, and supplier details. Data integrity could be compromised, resulting in inaccurate inventory records and financial discrepancies. Availability of the system could also be affected if attackers execute destructive SQL commands. This could disrupt retail operations, causing financial losses and reputational damage. Given the remote exploitability without authentication, attackers could target multiple organizations at scale. The medium severity rating suggests a moderate but tangible risk, especially for small to medium grocery retailers that may lack robust cybersecurity defenses. Additionally, regulatory compliance risks exist under GDPR if personal data is exposed or mishandled due to this vulnerability.

To mitigate this vulnerability, affected organizations should immediately upgrade to a patched version of the Campcodes Grocery Sales and Inventory System once available. In the absence of an official patch, organizations should implement input validation and parameterized queries or prepared statements to sanitize the 'ID' parameter in the /ajax.php?action=save_receiving endpoint. Web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this endpoint. Network segmentation should be employed to limit access to the system from untrusted networks. Regular security audits and code reviews should be conducted to identify similar injection flaws. Monitoring and logging of database queries and web requests can help detect exploitation attempts early. Organizations should also ensure regular backups of inventory and sales data to enable recovery in case of data corruption or loss. Finally, staff awareness training on cybersecurity best practices can reduce the risk of exploitation through social engineering or other vectors.