CVE-2025-10806 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The vulnerability exists in the /admin/bwdates-reports-details.php file, specifically through the manipulation of the 'fromdate' and 'todate' parameters. These parameters are used to filter or generate reports based on date ranges. Due to insufficient input validation or sanitization, an attacker can inject malicious SQL code into these parameters, which is then executed by the backend database. This can allow unauthorized access to sensitive data, modification or deletion of records, or potentially compromise the entire database. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing its risk profile. Although the CVSS 4.0 score is 5.3 (medium severity), the presence of publicly available exploits heightens the threat. The vulnerability affects only version 1.0 of the product, and no official patches or fixes have been published yet. The attack vector is network-based with low attack complexity and no privileges required, but it impacts the confidentiality, integrity, and availability of the system to a limited extent. The vulnerability does not require social engineering or user interaction, making automated exploitation feasible. Given the nature of the product—a management system for beauty parlors—the data at risk may include customer information, appointment schedules, and financial records, which could be leveraged for fraud or identity theft.

For European organizations using Campcodes Online Beauty Parlor Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and business data. Exploitation could lead to unauthorized disclosure of personal data, violating GDPR regulations and resulting in legal and financial penalties. Manipulation or deletion of appointment and financial records could disrupt business operations, causing reputational damage and loss of customer trust. Since the exploit can be launched remotely without authentication, attackers could target multiple organizations simultaneously. Small and medium-sized beauty parlors, which may lack robust cybersecurity defenses, are particularly vulnerable. Additionally, if attackers leverage this vulnerability as a foothold, they could pivot to other internal systems, escalating the impact. The absence of patches increases the window of exposure, and the availability of public exploits may lead to rapid exploitation attempts across Europe.

Immediate mitigation steps include implementing web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the affected parameters. Organizations should conduct thorough input validation and sanitization on all user-supplied data, especially the 'fromdate' and 'todate' parameters, using parameterized queries or prepared statements to prevent injection. Since no official patches are available, organizations should consider isolating or restricting access to the vulnerable admin interface, limiting it to trusted IP addresses or VPN access only. Regular monitoring of logs for suspicious query patterns or repeated failed attempts targeting the vulnerable endpoint is essential. Organizations should also plan for an urgent update or patch deployment once the vendor releases a fix. Additionally, conducting security awareness training for administrators and staff about the risks of SQL injection and the importance of timely updates can reduce exploitation likelihood. Backup procedures should be reviewed and tested to ensure rapid recovery in case of data corruption or loss.