CVE-2025-10562 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The flaw exists in the /ajax.php endpoint, specifically when handling the 'action=save_product' request parameter. Manipulation of the 'ID' argument within this request allows an attacker to inject malicious SQL code. This vulnerability is remotely exploitable without requiring authentication or user interaction, making it a significant risk. The injection flaw can lead to unauthorized access or modification of the backend database, potentially exposing sensitive sales, inventory, and customer data. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the exploit code has been published, increasing the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is a specialized system used for grocery sales and inventory management, likely deployed in retail environments.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a risk of data breach and operational disruption. Exploitation could allow attackers to extract or manipulate sales and inventory data, leading to financial losses, inventory mismanagement, and reputational damage. Confidential customer information stored in the system could be exposed, raising compliance concerns under GDPR. Additionally, unauthorized database modifications could disrupt business operations, causing downtime or erroneous stock levels. Retailers relying on this system may face supply chain issues or regulatory scrutiny if data integrity is compromised. The remote and unauthenticated nature of the exploit increases the urgency for mitigation, especially for organizations with internet-facing installations or insufficient network segmentation.

To mitigate this vulnerability, organizations should first verify if they are running Campcodes Grocery Sales and Inventory System version 1.0 and immediately plan to upgrade to a patched version once available. In the absence of an official patch, implement web application firewall (WAF) rules specifically targeting SQL injection patterns on the /ajax.php?action=save_product endpoint, particularly filtering and sanitizing the 'ID' parameter. Employ input validation and parameterized queries if source code access is possible. Restrict external access to the affected endpoint by network segmentation or VPN-only access to reduce exposure. Monitor logs for suspicious activity related to SQL injection attempts. Conduct regular security assessments and penetration testing focused on injection flaws. Finally, maintain backups of critical data to enable recovery in case of compromise.