CVE-2025-10804 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The vulnerability exists in the /admin/add-customer.php script, specifically in the handling of the 'mobilenum' parameter. An attacker can remotely manipulate this parameter without authentication or user interaction to inject malicious SQL code. This injection flaw allows the attacker to interfere with the application's database queries, potentially leading to unauthorized data access, data modification, or disruption of database operations. The vulnerability is exploitable over the network with low attack complexity and does not require privileges or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the exploit code has been publicly disclosed, which raises the likelihood of exploitation attempts. The CVSS 4.0 vector indicates partial impact on confidentiality, integrity, and availability, with no scope change or privilege escalation. The vulnerability affects a niche product used primarily in beauty parlor management, which may limit the overall attack surface but still poses significant risks to affected organizations.

For European organizations using the Campcodes Online Beauty Parlor Management System version 1.0, this vulnerability could lead to unauthorized access to sensitive customer data, including personal and contact information stored in the database. Attackers could manipulate or exfiltrate data, potentially violating data protection regulations such as GDPR, leading to legal and financial repercussions. The integrity of customer records and business operations could be compromised, affecting service reliability and customer trust. Additionally, successful exploitation could disrupt availability of the management system, impacting daily business activities. Small and medium-sized enterprises in the beauty and wellness sector, which often rely on such specialized management software, may be particularly vulnerable due to limited cybersecurity resources and patch management capabilities.

Organizations should immediately audit their use of the Campcodes Online Beauty Parlor Management System to identify affected installations running version 1.0. As no official patch links are currently available, administrators should implement input validation and parameterized queries or prepared statements to sanitize the 'mobilenum' input in /admin/add-customer.php. Web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this parameter. Network segmentation and strict access controls should be enforced to limit exposure of the management system to untrusted networks. Regular monitoring of logs for suspicious database query patterns and anomalous activities is recommended. Organizations should also engage with the vendor for updates or patches and plan for timely application once available. Finally, conducting security awareness training for administrators on the risks of SQL injection and secure coding practices will help prevent similar vulnerabilities.