CVE-2025-10564 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically when handling the 'delete_category' action. An attacker can manipulate the 'ID' parameter in the HTTP request to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database. The vulnerability does not require any user interaction or prior authentication, making it highly accessible for exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant data manipulation or leakage. Although no known exploits are reported in the wild yet, the exploit details have been publicly disclosed, increasing the risk of imminent exploitation. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been published by the vendor as of now. The core risk lies in unauthorized data access, data modification, or deletion within the inventory and sales database, potentially disrupting business operations and exposing sensitive commercial data.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a tangible risk to operational continuity and data security. Exploitation could lead to unauthorized disclosure of sensitive inventory and sales data, manipulation or deletion of critical business records, and potential disruption of supply chain management. This can result in financial losses, reputational damage, and regulatory compliance issues, especially under GDPR where data integrity and confidentiality are paramount. Retailers and grocery chains relying on this system may face inventory inaccuracies, impacting customer service and sales. Additionally, attackers could leverage the SQL injection to pivot into broader network compromise if backend database credentials or other sensitive information are exposed. The medium severity rating suggests a moderate but actionable threat, emphasizing the need for timely remediation to prevent escalation.

1. Immediate mitigation should include implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the /ajax.php?action=delete_category endpoint. 2. Conduct input validation and sanitization on the 'ID' parameter to ensure only expected numeric values are accepted, employing parameterized queries or prepared statements in the application code. 3. Restrict database user permissions to the minimum necessary, preventing unauthorized data manipulation beyond the scope of the application. 4. Monitor logs for suspicious activity related to the vulnerable endpoint, including unusual query patterns or repeated failed requests. 5. Engage with the vendor to obtain or request an official patch or upgrade to a fixed version. 6. If immediate patching is not possible, consider isolating the affected system from external network access or limiting access to trusted IP addresses. 7. Conduct a thorough security review of the entire application to identify and remediate other potential injection points. 8. Educate IT and security teams about this vulnerability and ensure incident response plans are updated to address potential exploitation scenarios.