CVE-2025-10031 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically in the 'delete_sales' action, where the 'ID' parameter is improperly sanitized. This allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The injection can lead to unauthorized data manipulation, data leakage, or potentially full compromise of the underlying database. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the vulnerability's network attack vector, low complexity, and no required privileges or user interaction. The impact on confidentiality, integrity, and availability is rated as low individually but combined can be significant depending on the attacker's goals and the database's contents. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The lack of available patches or mitigations from the vendor at this time further exacerbates the risk for organizations using this software version.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of sales and inventory data. Attackers exploiting this flaw could manipulate sales records, delete or alter inventory data, or exfiltrate sensitive business information, potentially disrupting operations and causing financial losses. Given the system's role in managing grocery sales and inventory, exploitation could lead to inaccurate stock levels, impacting supply chain decisions and customer satisfaction. Additionally, compromised data could violate data protection regulations such as GDPR if personal or transactional data is exposed, leading to legal and reputational consequences. The remote and unauthenticated nature of the exploit increases the threat level, especially for organizations with internet-facing instances of this system or insufficient network segmentation.

Organizations should immediately audit their use of Campcodes Grocery Sales and Inventory System 1.0 and isolate any internet-facing instances. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting the 'ID' parameter in the /ajax.php?action=delete_sales endpoint. Input validation and parameterized queries should be implemented by the vendor; until an official patch is released, organizations can consider deploying virtual patching rules. Monitoring database logs for unusual queries or deletions related to sales data can help detect exploitation attempts early. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Finally, organizations should engage with the vendor for patch timelines and consider alternative inventory management solutions if remediation is delayed.