CVE-2025-10807 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The flaw resides in the /admin/edit-customer-detailed.php script, specifically in the handling of the 'editid' parameter. Improper sanitization or validation of this parameter allows an attacker to inject malicious SQL code remotely, without requiring authentication or user interaction. This vulnerability can be exploited to manipulate the backend database, potentially leading to unauthorized data access, data modification, or disruption of service. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, which is low but not none), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the exploit code has been publicly released, there are no confirmed reports of active exploitation in the wild. The vulnerability affects only version 1.0 of the product, and no official patches have been published yet. Given the nature of the system—a management platform for beauty parlors—this vulnerability could expose sensitive customer data and business records if exploited.

For European organizations using Campcodes Online Beauty Parlor Management System 1.0, this vulnerability poses a risk of unauthorized access to customer and business data, which could lead to privacy violations under GDPR. Attackers exploiting the SQL injection could extract personal information, modify records, or disrupt business operations, potentially causing reputational damage and financial loss. Since the system is used in the beauty and wellness sector, which often handles sensitive client information, the impact on confidentiality is significant. The integrity of customer data and appointment records could be compromised, affecting service reliability. Availability impact is low but possible if the database is manipulated to cause errors or downtime. The medium CVSS score reflects these moderate risks. Organizations in Europe must consider the regulatory implications of data breaches and the operational impact on client-facing services.

Immediate mitigation should include implementing input validation and parameterized queries or prepared statements in the /admin/edit-customer-detailed.php script to prevent SQL injection. Since no official patch is currently available, organizations should consider applying virtual patching via web application firewalls (WAFs) configured to detect and block malicious SQL injection payloads targeting the 'editid' parameter. Restricting access to the admin interface through network segmentation, VPNs, or IP whitelisting can reduce exposure. Regularly monitoring logs for suspicious database queries and unusual activity is critical. Organizations should also plan to upgrade to a patched version once released or consider alternative management systems with better security track records. Conducting security audits and penetration testing focused on input validation can help identify similar vulnerabilities. Finally, ensure backups of critical data are maintained to enable recovery in case of data corruption or loss.