CVE-2025-12337 identifies a SQL injection vulnerability in version 1.0 of the Campcodes Retro Basketball Shoes Online Store software. The vulnerability resides in the /admin/admin_feature.php file, specifically involving the 'pid' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability requires no authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the vulnerability's impact on confidentiality, integrity, and availability is limited but non-negligible, and the attack complexity is low. Although no active exploits have been observed in the wild, the public release of exploit code increases the likelihood of exploitation attempts. The vulnerability could allow attackers to extract sensitive customer data, modify product or order information, or disrupt the e-commerce platform's operations. The lack of patches or vendor advisories at this time necessitates immediate defensive measures by users of the affected software. This vulnerability exemplifies common web application security failures related to improper input validation and lack of parameterized queries in PHP-based e-commerce platforms.

For European organizations using the Campcodes Retro Basketball Shoes Online Store 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and transactional data. Exploitation could lead to unauthorized disclosure of personal customer information, financial data, or internal business records. Data manipulation could result in fraudulent orders, inventory inaccuracies, or financial losses. Availability impacts may arise if attackers execute destructive SQL commands or cause database corruption, leading to downtime and loss of customer trust. Retailers relying on this platform may face regulatory consequences under GDPR if personal data is compromised. The remote, unauthenticated nature of the exploit increases the attack surface, making it easier for cybercriminals to target vulnerable installations across Europe. The public availability of exploit code further elevates the threat, potentially leading to widespread attacks if mitigations are not promptly applied.

1. Immediately audit all instances of Campcodes Retro Basketball Shoes Online Store version 1.0 to identify vulnerable deployments. 2. Implement input validation and sanitization on the 'pid' parameter in /admin/admin_feature.php, ensuring only expected data types and values are accepted. 3. Refactor database queries to use parameterized statements or prepared queries to prevent SQL injection. 4. Restrict administrative interface access via network segmentation, VPNs, or IP whitelisting to reduce exposure. 5. Monitor web server and database logs for suspicious activity related to 'pid' parameter manipulation. 6. Develop and deploy patches or updates to the affected software version as soon as vendor releases them. 7. Conduct security training for developers to avoid similar injection flaws in future code. 8. Consider deploying Web Application Firewalls (WAF) with rules targeting SQL injection attempts as an interim protective measure. 9. Regularly back up databases and test restoration procedures to mitigate impact of potential data corruption or loss.