CVE-2025-12337 is a SQL injection vulnerability identified in Campcodes Retro Basketball Shoes Online Store version 1.0, specifically within the /admin/admin_feature.php file. The vulnerability arises from improper sanitization of the 'pid' parameter, which is used in SQL queries without adequate validation or parameterization. This flaw allows remote attackers to inject arbitrary SQL code by manipulating the 'pid' argument, potentially enabling unauthorized data access, data modification, or deletion within the underlying database. The attack vector is network accessible (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication, making exploitation straightforward. The vulnerability impacts confidentiality, integrity, and availability, though the impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), indicating partial compromise is possible. The CVSS 4.0 base score is 6.9, categorized as medium severity. Although no known exploits are currently active in the wild, the public release of exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is an online store platform used for selling retro basketball shoes. The lack of patch links suggests that no official fix has been released yet, emphasizing the need for immediate mitigation steps by users. The vulnerability is significant because it targets the administrative interface, which typically has elevated privileges and access to sensitive data. Exploitation could lead to unauthorized access to customer data, order information, or administrative controls, potentially resulting in data breaches or disruption of e-commerce operations.

For European organizations using the Campcodes Retro Basketball Shoes Online Store version 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their e-commerce systems. Successful exploitation could lead to unauthorized disclosure of customer data, including personal and payment information, damaging customer trust and violating data protection regulations such as GDPR. Data integrity could be compromised through unauthorized modification or deletion of product listings, orders, or administrative settings, disrupting business operations and causing financial losses. Availability of the online store could be affected if attackers execute destructive SQL commands or cause database corruption, leading to downtime and loss of revenue. The fact that the vulnerability is remotely exploitable without authentication increases the attack surface and risk. European organizations may also face regulatory penalties if breaches occur due to unpatched vulnerabilities. The medium severity rating indicates a moderate but tangible threat that should be addressed promptly to avoid escalation or chaining with other vulnerabilities. The lack of an official patch means organizations must rely on interim mitigations to reduce risk until a vendor fix is available.

1. Immediate mitigation should include implementing strict input validation and sanitization on the 'pid' parameter within /admin/admin_feature.php to prevent SQL injection. 2. Employ parameterized queries or prepared statements in the codebase to eliminate direct concatenation of user input into SQL commands. 3. Restrict access to the admin interface by IP whitelisting, VPN access, or multi-factor authentication to reduce exposure. 4. Monitor database logs and web server logs for unusual or suspicious SQL queries or access patterns indicative of exploitation attempts. 5. If possible, deploy a Web Application Firewall (WAF) with rules to detect and block SQL injection payloads targeting the vulnerable parameter. 6. Engage with the vendor Campcodes to obtain or request an official patch or update addressing this vulnerability. 7. Conduct a thorough security audit of the entire e-commerce platform to identify and remediate any other injection or input validation issues. 8. Educate administrative users on security best practices and ensure strong password policies to reduce risk of lateral attacks. 9. Prepare an incident response plan to quickly address any exploitation attempts or breaches related to this vulnerability. 10. Consider isolating or temporarily disabling the vulnerable admin feature if feasible until a patch is available.