CVE-2025-10413 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The flaw exists in the /ajax.php endpoint, specifically in the 'delete_customer' action, where the 'ID' parameter is improperly sanitized. This allows an attacker to manipulate the SQL query executed by the backend database, potentially leading to unauthorized data access or modification. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the disclosure of the vulnerability and its details increases the likelihood of exploitation attempts. The affected system is a specialized grocery sales and inventory management software, which typically handles sensitive business data such as customer information, sales records, and inventory details. Exploitation could lead to data leakage, unauthorized data manipulation, or disruption of business operations.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their business-critical data. Attackers exploiting this SQL injection could extract sensitive customer and sales data, potentially violating GDPR requirements on personal data protection. Additionally, unauthorized deletion or modification of inventory and sales records could disrupt supply chain and financial reporting processes, leading to operational downtime and financial losses. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if the system is exposed to the internet or poorly segmented within internal networks. The medium severity rating suggests that while the impact is notable, it may not lead to full system compromise or widespread availability disruption without further chained exploits. However, the business impact could still be substantial due to data integrity issues and regulatory compliance risks.

Specific mitigation steps include: 1) Immediate application of vendor patches or updates once available; since no patch links are currently provided, organizations should contact Campcodes for remediation guidance. 2) Implement input validation and parameterized queries or prepared statements in the affected 'delete_customer' functionality to prevent SQL injection. 3) Restrict access to the /ajax.php endpoint via network controls such as firewalls or web application firewalls (WAFs) to limit exposure to trusted internal IPs only. 4) Conduct thorough code reviews and security testing of all AJAX endpoints to identify and remediate similar injection flaws. 5) Monitor logs for suspicious activity targeting the 'delete_customer' action or unusual database queries. 6) Employ database user permissions with least privilege to limit the impact of any successful injection. 7) Segment the inventory system from public-facing networks and enforce strong authentication and authorization controls around administrative functions. These targeted measures go beyond generic advice by focusing on the specific vulnerable endpoint and operational context of the Campcodes system.