CVE-2025-13260 identifies a SQL injection vulnerability in Campcodes Supplier Management System version 1.0. The vulnerability exists in the /manufacturer/edit_product.php script, where the cmbProductUnit parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring authentication or user interaction, enabling attackers to manipulate backend database queries. The impact includes potential unauthorized access to sensitive supplier or product data, modification or deletion of database records, and disruption of system availability. The CVSS 4.0 score is 5.3 (medium), reflecting low complexity of attack (AC:L), no authentication required (PR:L), and no user interaction (UI:N), but limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No patches or known exploits are currently available, but public disclosure increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is used in supplier and inventory management contexts, making it a critical component in supply chain operations. Attackers exploiting this vulnerability could compromise business processes reliant on accurate supplier data, leading to financial and operational consequences.

For European organizations, especially those in manufacturing, logistics, and supply chain management, this vulnerability poses a risk of unauthorized data exposure and manipulation. Compromise of supplier data integrity could disrupt procurement and production workflows, causing delays and financial losses. Confidentiality breaches may expose sensitive supplier contracts or pricing information, potentially harming competitive advantage. Availability impacts, while limited, could affect system responsiveness or cause errors in product management. The medium severity rating suggests that while the vulnerability is exploitable remotely and without user interaction, the overall damage is somewhat constrained by the limited scope of the affected system version and the partial impact on CIA triad components. However, given the critical role supplier management systems play in European industrial sectors, even medium severity vulnerabilities warrant prompt attention to prevent cascading operational disruptions.

Organizations should immediately conduct a thorough code audit of the /manufacturer/edit_product.php file to identify and remediate improper input handling of the cmbProductUnit parameter. Implement strict input validation and parameterized queries or prepared statements to prevent SQL injection. Restrict database user permissions to the minimum necessary, avoiding elevated privileges that could amplify impact. Monitor logs for unusual database query patterns or error messages indicative of injection attempts. If possible, isolate the affected system segment to limit exposure. Engage with Campcodes for official patches or updates and apply them promptly once available. Additionally, conduct penetration testing focused on injection vectors to verify remediation effectiveness. Educate development and operations teams about secure coding practices and the risks of SQL injection to prevent recurrence.