CVE-2025-10806 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The vulnerability exists in the /admin/bwdates-reports-details.php file, where the 'fromdate' and 'todate' parameters are improperly sanitized. This allows an attacker to inject malicious SQL code through these parameters, potentially manipulating backend database queries. The vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS score of 5.3 (medium severity) reflects that while the attack vector is network-based and easy to exploit, the impact on confidentiality, integrity, and availability is limited to low levels. The vulnerability could allow attackers to access or modify sensitive data related to beauty parlor management, such as customer records, appointments, or financial reports. However, the exploit does not appear to allow full system compromise or widespread disruption. No public patches are currently available, and no known exploits are reported in the wild, although a public exploit exists. The vulnerability affects only version 1.0 of the product, which is a niche management system targeted at beauty parlors. The lack of authentication requirement and remote exploitability make this a notable risk for organizations using this software, especially if they expose the admin interface to the internet or have weak network segmentation.

For European organizations using the Campcodes Online Beauty Parlor Management System, this vulnerability could lead to unauthorized access to sensitive customer and business data, potentially violating GDPR requirements for data protection and privacy. The integrity of business reports and appointment data could be compromised, leading to operational disruptions and reputational damage. Although the impact is rated medium, the exposure of personal data could result in regulatory fines and loss of customer trust. Given the niche nature of the product, the impact is likely limited to small and medium enterprises in the beauty and wellness sector. However, if attackers leverage this vulnerability to pivot into broader network access, it could escalate into more severe breaches. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public exploit code is available. Organizations with internet-facing admin panels are at higher risk. The vulnerability also highlights the importance of secure coding practices and input validation in niche software products used by European SMEs.

1. Immediate mitigation should include restricting access to the /admin/bwdates-reports-details.php endpoint by implementing network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure to trusted users only. 2. Apply strict input validation and parameterized queries or prepared statements in the affected code to prevent SQL injection. If source code access is available, developers should sanitize and validate 'fromdate' and 'todate' parameters rigorously. 3. Monitor web server and database logs for suspicious queries or unusual access patterns targeting the vulnerable parameters. 4. If a patch becomes available from Campcodes, prioritize applying it promptly. 5. Conduct a thorough security review of all input handling in the application to identify and remediate similar vulnerabilities. 6. Educate staff on the risks of exposing admin interfaces publicly and enforce strong authentication and access controls. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. 8. Regularly back up critical data and test restoration procedures to mitigate potential data integrity issues resulting from exploitation.