CVE-2025-10805 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The vulnerability exists in the /admin/add-services.php file, specifically through the manipulation of the 'sername' parameter. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries executed by the application. The injection occurs because user input is not properly sanitized or parameterized before being incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising customer information, service records, and administrative data. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The vector metrics show that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), does not require authentication (AT:N), and no user interaction (UI:N). However, the impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), suggesting partial compromise rather than full system takeover. No known exploits are currently observed in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches or mitigation links have been provided yet. Given the nature of the product—a management system for beauty parlors—the database likely contains personal customer data, appointment schedules, and possibly payment information, making the confidentiality and integrity of this data critical for business operations and compliance with data protection regulations.

For European organizations using the Campcodes Online Beauty Parlor Management System, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and business data. Exploitation could lead to unauthorized data disclosure, data tampering, or disruption of service availability, undermining customer trust and potentially violating GDPR requirements regarding personal data protection. The impact extends beyond data loss to reputational damage and possible regulatory fines. Since the system is used in the beauty and wellness sector, which often handles sensitive personal information, the breach could expose personal identifiers and appointment histories. Additionally, compromised administrative functions could allow attackers to manipulate service offerings or pricing, affecting business operations. The medium severity rating indicates that while the vulnerability is not critical, it is sufficiently serious to warrant prompt attention, especially given the remote and unauthenticated nature of the exploit. European businesses relying on this software without mitigation are at risk of targeted attacks, particularly from opportunistic threat actors scanning for known vulnerabilities in niche management systems.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict access to the /admin/add-services.php endpoint by IP whitelisting or VPN access to limit exposure to trusted administrators only. Implement web application firewall (WAF) rules specifically designed to detect and block SQL injection payloads targeting the 'sername' parameter. Conduct thorough input validation and sanitization on all user-supplied data, ideally by modifying the source code to use parameterized queries or prepared statements to prevent injection. If source code modification is not immediately feasible, consider deploying runtime application self-protection (RASP) solutions to monitor and block malicious queries. Regularly audit database logs for suspicious queries or anomalies indicative of exploitation attempts. Additionally, ensure that database user accounts used by the application have the least privileges necessary to limit the impact of a successful injection. Finally, maintain regular backups of the database and test restoration procedures to minimize downtime and data loss in case of compromise. Organizations should also monitor threat intelligence feeds for any emerging exploits and apply patches promptly once available from the vendor.