CVE-2025-12337 identifies a SQL injection vulnerability in the Campcodes Retro Basketball Shoes Online Store version 1.0, located in the /admin/admin_feature.php file. The vulnerability arises from improper sanitization of the 'pid' parameter, which is used in SQL queries without adequate validation or parameterization. This allows an unauthenticated remote attacker to inject malicious SQL code by manipulating the 'pid' argument, potentially leading to unauthorized access to or modification of the underlying database. The attack vector requires no user interaction and no privileges, making exploitation straightforward. The vulnerability affects confidentiality by potentially exposing sensitive customer or administrative data, integrity by allowing unauthorized data changes, and availability by possibly disrupting database operations. The CVSS 4.0 score of 6.9 (medium severity) reflects the low attack complexity and no required privileges but limits impact to partial compromise of confidentiality, integrity, and availability. Although no active exploitation has been reported, the public availability of exploit code increases the likelihood of attacks. No official patches have been linked yet, so mitigation relies on secure coding practices and monitoring.

The SQL injection vulnerability could allow attackers to extract sensitive information such as customer data, administrative credentials, or business intelligence stored in the database. Unauthorized modification of data could lead to fraudulent transactions, altered product listings, or corrupted order records, damaging business operations and reputation. Availability impacts could arise if attackers execute destructive queries or cause database errors, resulting in downtime or degraded service. For organizations using this specific e-commerce platform, the threat could lead to regulatory compliance violations (e.g., GDPR, PCI-DSS) due to data breaches. The public release of exploit code increases the risk of automated attacks and widespread exploitation, especially targeting online stores with limited security controls. The impact is particularly significant for small to medium-sized businesses that may lack dedicated security teams or timely patching capabilities.

Organizations should immediately audit their Campcodes Retro Basketball Shoes Online Store installations, focusing on version 1.0. If an official patch becomes available, it must be applied promptly. In the absence of patches, implement input validation and sanitization on the 'pid' parameter to reject or properly escape malicious input. Refactor the code to use parameterized SQL queries or prepared statements to prevent injection. Employ web application firewalls (WAFs) with rules targeting SQL injection patterns to provide a temporary defense layer. Conduct thorough security testing, including automated scanning and manual code review, to identify and remediate similar injection points. Monitor logs for suspicious database query patterns or unusual access to the /admin/admin_feature.php endpoint. Restrict access to the admin interface by IP whitelisting or VPN to reduce exposure. Educate development teams on secure coding practices to prevent future injection flaws.