CVE-2025-10414 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability resides in the /ajax.php endpoint, specifically in the 'save_customer' action. An attacker can manipulate the 'ID' parameter in the request to inject malicious SQL code. This flaw allows remote exploitation without requiring authentication or user interaction, making it highly accessible to attackers. The injection can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive data such as customer records, inventory details, or sales information. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting its potential impact on confidentiality, integrity, and availability, albeit with limited scope and no privilege requirements. Although no public exploits have been observed in the wild yet, the exploit code has been made public, increasing the risk of exploitation. The vulnerability is critical for organizations relying on this specific version of the Campcodes system, especially those managing sensitive commercial data and customer information.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a significant risk to data confidentiality and integrity. Successful exploitation could lead to unauthorized disclosure of customer data, manipulation of inventory and sales records, and disruption of business operations. This could result in financial losses, reputational damage, and potential regulatory penalties under GDPR due to data breaches. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation, especially in environments where the system is exposed to the internet or insufficiently segmented. Small to medium-sized retailers and grocery businesses in Europe using this software may face operational disruptions and loss of customer trust if targeted. Furthermore, attackers could leverage this vulnerability as a foothold to pivot into broader network infrastructure, amplifying the impact.

Organizations should immediately assess their deployment of Campcodes Grocery Sales and Inventory System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation and parameterized queries on the 'ID' parameter in the /ajax.php?action=save_customer endpoint to prevent SQL injection. Network-level mitigations include restricting access to the application server via firewalls or VPNs, limiting exposure to the internet, and employing Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts. Regularly monitor logs for suspicious activity targeting the vulnerable endpoint. Conduct thorough security audits and penetration testing focused on injection flaws. Additionally, ensure database accounts used by the application have the least privileges necessary to limit the impact of any successful injection. Finally, maintain up-to-date backups of critical data to enable recovery in case of data tampering or loss.