CVE-2025-10563 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System, specifically within the /ajax.php endpoint when invoked with the action parameter set to save_category. The vulnerability arises from improper sanitization or validation of the 'ID' argument, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw can be exploited by sending crafted requests to the vulnerable endpoint, potentially enabling unauthorized access to the backend database. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability could allow attackers to extract sensitive data, modify or delete records, or disrupt inventory and sales operations, impacting business continuity and data integrity. The lack of a patch or mitigation guidance from the vendor at this time heightens the urgency for organizations using this software to implement compensating controls.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of their sales and inventory data. Exploitation could lead to unauthorized data disclosure, manipulation of inventory records, or disruption of sales processes, potentially causing financial losses, regulatory non-compliance (e.g., GDPR violations if personal data is involved), and reputational damage. Retailers and grocery chains relying on this system may experience operational downtime or incorrect stock management, affecting supply chain efficiency. Given the remote and unauthenticated nature of the attack, threat actors could exploit this vulnerability at scale, especially targeting organizations with internet-facing instances of the affected system. The medium severity rating suggests a moderate but significant threat that should not be ignored, particularly in sectors where data accuracy and availability are critical.

Since no official patch or vendor guidance is currently available, European organizations should take immediate steps to mitigate risk. These include: 1) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting /ajax.php?action=save_category and the ID parameter. 2) Restricting access to the vulnerable endpoint by IP whitelisting or VPN-only access to reduce exposure. 3) Conducting thorough input validation and sanitization at the application or proxy level if possible. 4) Monitoring logs for unusual or suspicious requests targeting the vulnerable endpoint to detect exploitation attempts early. 5) Segregating the database with least privilege principles to limit the impact of a successful injection. 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases a fix. 7) Educating IT and security teams about this vulnerability to ensure rapid incident response if exploitation is detected.