CVE-2025-10415 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically when the 'action' parameter is set to 'save_supplier'. Manipulation of the 'ID' argument in this request allows an attacker to inject malicious SQL code. This injection flaw enables unauthorized database queries to be executed remotely without requiring authentication or user interaction. The vulnerability is classified with a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network exploitability (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant data exposure or modification. The vulnerability affects an unknown function within the specified file, indicating that the exact database operations impacted are not fully disclosed. No official patches or mitigations have been published yet, and while public exploit code is available, there are no confirmed reports of active exploitation in the wild. This vulnerability poses a risk to organizations using this specific inventory system, as attackers can remotely manipulate supplier data or potentially escalate to broader database compromise through crafted SQL payloads.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability could lead to unauthorized access to sensitive supplier and inventory data, potentially exposing business-critical information such as supplier identities, pricing, stock levels, and transaction records. Data integrity could be compromised by unauthorized modification or deletion of records, disrupting supply chain operations and financial reporting. Although the vulnerability is rated medium severity, the lack of required authentication and ease of exploitation increase the risk of automated attacks. This could result in operational downtime, financial losses, and reputational damage. Additionally, if attackers leverage this vulnerability to pivot within the network, it could facilitate further compromise of internal systems. Given the retail and supply chain importance of grocery inventory systems, disruption could have cascading effects on logistics and customer service in European markets.

Organizations should immediately audit their use of Campcodes Grocery Sales and Inventory System version 1.0 and restrict external access to the affected /ajax.php endpoint, ideally limiting it to trusted internal networks. Implementing Web Application Firewalls (WAFs) with specific SQL injection detection rules targeting the 'save_supplier' action and 'ID' parameter can provide interim protection. Input validation and parameterized queries should be enforced in the application code to prevent injection, though this requires vendor patching. Until an official patch is released, organizations should consider isolating or replacing the vulnerable system, or applying virtual patching via network controls. Regular monitoring of logs for suspicious SQL queries or unusual database activity is recommended to detect exploitation attempts early. Additionally, organizations should maintain up-to-date backups of inventory and supplier data to enable recovery in case of data tampering.