CVE-2025-10565 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in an unspecified functionality within the /ajax.php endpoint, specifically when the 'action' parameter is set to 'delete_receiving'. Manipulating the 'ID' argument in this request allows an attacker to inject malicious SQL code. This can lead to unauthorized access or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated as low individually but combined leads to a medium severity rating. No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild, though public disclosure of the exploit code increases the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the Campcodes system, which is a niche product used for grocery sales and inventory management, typically deployed in retail environments.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their sales and inventory data. An attacker exploiting this SQL injection could extract sensitive business information, manipulate inventory records, or disrupt sales operations, potentially leading to financial losses and reputational damage. Since the system likely interfaces with payment and supply chain data, unauthorized access could also expose customer information or disrupt supply logistics. The remote, unauthenticated nature of the exploit means attackers can launch attacks without insider access, increasing exposure. For small to medium grocery retailers in Europe relying on this system, the impact could be operational disruption and regulatory compliance issues under GDPR if customer data is compromised. However, the limited market penetration of this specific software may restrict the overall scale of impact.

1. Immediate mitigation should focus on restricting access to the /ajax.php endpoint, especially the 'delete_receiving' action, through network-level controls such as IP whitelisting or VPN access to trusted users only. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'ID' parameter. 3. Conduct a thorough code review and input validation on all parameters accepted by ajax.php to sanitize and parameterize SQL queries, eliminating injection vectors. 4. If possible, upgrade or patch the Campcodes system once the vendor releases a fix. 5. Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 6. Educate IT staff and users on the risks and signs of exploitation attempts. 7. As a longer-term measure, consider migrating to more secure and actively maintained inventory management solutions with robust security practices.