CVE-2025-13291 is a SQL injection vulnerability identified in Campcodes Supplier Management System version 1.0. The flaw exists in the /manufacturer/confirm_order.php script where the 'ID' parameter is not properly sanitized, allowing an attacker to inject malicious SQL code. This vulnerability can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. Successful exploitation could lead to unauthorized data access, modification, or deletion within the underlying database, compromising the confidentiality, integrity, and availability of supplier and order data. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting the moderate impact and ease of exploitation. Although no active exploits have been reported in the wild, the public availability of exploit code increases the likelihood of attacks. The affected product is primarily used in supplier management workflows, which are critical for manufacturing and supply chain operations. The lack of patches or official remediation guidance necessitates immediate defensive measures by organizations using this software. Given the critical nature of supply chain data, exploitation could disrupt business operations and expose sensitive commercial information.

For European organizations, particularly those in manufacturing, logistics, and supply chain management, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of supplier and order information, manipulation of order data, or disruption of supplier management processes. This could result in financial losses, reputational damage, and operational downtime. The impact is heightened in sectors where supply chain integrity is critical, such as automotive, aerospace, and pharmaceuticals. Additionally, compromised supplier data could facilitate further attacks or fraud. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional weaknesses. However, the remote and unauthenticated nature of the exploit increases the urgency for mitigation. European organizations with integrated supplier management systems relying on Campcodes software are particularly vulnerable to supply chain disruptions and data breaches stemming from this flaw.

Organizations should immediately implement input validation and sanitization for the 'ID' parameter in /manufacturer/confirm_order.php to prevent SQL injection. Employing parameterized queries or prepared statements is critical to eliminate injection vectors. Restricting access to the affected endpoint via network segmentation or firewall rules can reduce exposure. Monitoring logs for unusual database queries or access patterns related to the 'ID' parameter can help detect exploitation attempts. If possible, isolate the supplier management system from the internet or untrusted networks until a patch is available. Engage with Campcodes for official patches or updates and apply them promptly once released. Conduct security assessments and penetration testing focused on injection vulnerabilities in related systems. Educate development and operations teams about secure coding practices to prevent similar issues. Finally, maintain regular backups of supplier data to enable recovery in case of data manipulation or loss.