CVE-2025-10564 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically in the action parameter 'delete_category' where the ID argument is not properly sanitized. This improper input validation allows an attacker to inject malicious SQL code remotely without any authentication or user interaction. Exploiting this flaw can enable an attacker to manipulate the backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The vector metrics show that the attack can be carried out remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no scope change (S:U). The impact on confidentiality, integrity, and availability is low to medium, as the vulnerability allows limited control over the database. Although no public exploits are currently known in the wild, the exploit code has been made public, increasing the risk of exploitation. The lack of patches or mitigation guidance from the vendor at this time further elevates the threat. Given the nature of the product—a grocery sales and inventory system—successful exploitation could disrupt business operations, compromise sensitive sales and inventory data, and potentially lead to financial losses or reputational damage.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a tangible risk to operational continuity and data security. Attackers exploiting this SQL injection could access or manipulate sensitive business data such as inventory records, sales transactions, pricing information, and customer details. This could lead to inaccurate inventory management, financial discrepancies, and loss of customer trust. Additionally, unauthorized data exposure could violate GDPR requirements, resulting in regulatory penalties. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in small to medium-sized enterprises that may lack robust cybersecurity defenses. Disruption of inventory and sales systems could also impact supply chain operations, leading to delays and financial impact. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise but still requires prompt remediation to prevent exploitation.

1. Immediate mitigation should include implementing input validation and parameterized queries or prepared statements in the /ajax.php?action=delete_category endpoint to prevent SQL injection. 2. If source code modification is not immediately feasible, deploying a Web Application Firewall (WAF) with custom rules to detect and block malicious SQL injection payloads targeting the ID parameter can reduce risk. 3. Conduct a thorough code review of all input handling in the application to identify and remediate similar injection points. 4. Monitor application logs for suspicious activity related to the delete_category action and unusual database errors. 5. Segregate the database with strict access controls and ensure least privilege principles are enforced to limit the impact of any successful injection. 6. Engage with the vendor for official patches or updates and apply them promptly once available. 7. Educate IT and security teams on the vulnerability and ensure incident response plans include steps for SQL injection attacks. 8. Regularly back up critical data and verify restoration procedures to minimize operational impact in case of data tampering or loss.