CVE-2025-10566 is a medium-severity cross-site scripting (XSS) vulnerability affecting version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability arises from improper sanitization of the 'page' parameter in the /index.php?page=users endpoint. An attacker can manipulate this parameter to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, and user interaction is necessary to trigger the attack, typically by convincing a user to visit a crafted URL. The CVSS 4.0 base score is 5.3, reflecting the network attack vector, low attack complexity, no privileges or user interaction required for initial access, but user interaction is needed to activate the payload. The impact primarily affects confidentiality and integrity at a low level, as the vulnerability allows script execution but does not directly compromise system availability or escalate privileges. The exploit is publicly available, increasing the risk of exploitation, although no known active exploitation in the wild has been reported to date. The vulnerability is specific to the Campcodes Grocery Sales and Inventory System 1.0, a niche product used for grocery sales and inventory management, which may limit the scope of affected organizations but still poses a risk to those relying on this software for business operations.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability could lead to session hijacking, theft of sensitive user data, or unauthorized actions performed on behalf of legitimate users. Given the nature of the software—handling sales and inventory—there is a risk of exposure of business-critical information such as sales data, inventory levels, and possibly customer information. This could result in financial losses, reputational damage, and regulatory compliance issues, especially under GDPR if personal data is involved. The remote exploitability without authentication increases the threat surface, particularly for organizations with externally accessible instances of the software. However, the requirement for user interaction somewhat limits the attack's effectiveness, as social engineering or phishing would likely be needed to deliver the malicious payload. The absence of known active exploitation reduces immediate risk but does not eliminate the potential for future attacks, especially given the public availability of the exploit code.

Organizations should prioritize upgrading or patching the Campcodes Grocery Sales and Inventory System to a version where this vulnerability is fixed; if no patch is available, consider applying virtual patching via web application firewalls (WAFs) configured to detect and block malicious payloads targeting the 'page' parameter. Input validation and output encoding should be implemented or enhanced to sanitize user-supplied input rigorously. Restricting access to the affected endpoint to trusted networks or authenticated users can reduce exposure. Additionally, user awareness training to recognize phishing attempts and suspicious URLs can mitigate the risk of successful exploitation. Monitoring web server logs for unusual requests targeting the 'page' parameter and deploying intrusion detection systems to flag potential XSS attempts can help in early detection. Finally, organizations should review their incident response plans to address potential data breaches resulting from XSS attacks.