CVE-2025-13291 identifies a SQL injection vulnerability in Campcodes Supplier Management System version 1.0, located in the /manufacturer/confirm_order.php script. The vulnerability is triggered by manipulating the 'ID' parameter, which is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to inject arbitrary SQL commands without requiring authentication or user interaction, enabling unauthorized access to or modification of the underlying database. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure of exploit code increases the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the product, which is used in supplier management workflows, potentially exposing sensitive order and manufacturer data. No official patches have been linked yet, necessitating immediate mitigation efforts by users. The vulnerability's exploitation could lead to data leakage, unauthorized data manipulation, or disruption of supplier order processing, impacting business operations and trust.

The SQL injection vulnerability in Campcodes Supplier Management System 1.0 can have significant impacts on organizations relying on this software for supplier and order management. Successful exploitation could lead to unauthorized disclosure of sensitive supplier and order information, modification or deletion of critical data, and potential disruption of supply chain operations. This could result in financial losses, reputational damage, and regulatory compliance issues, especially for organizations handling sensitive or regulated data. The remote, unauthenticated nature of the attack increases the risk, as attackers can exploit the vulnerability without insider access or user interaction. While the impact is somewhat limited by the scope of affected systems (only Campcodes Supplier Management System 1.0), organizations with critical supply chain dependencies on this product face elevated risk. The lack of a current patch further exacerbates the threat, requiring proactive mitigation to prevent exploitation.

1. Immediate mitigation should include implementing input validation and parameterized queries or prepared statements in the /manufacturer/confirm_order.php script to prevent SQL injection. 2. If source code modification is not feasible immediately, deploy Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the 'ID' parameter. 3. Restrict network access to the Supplier Management System to trusted IP ranges and enforce strict access controls to reduce exposure. 4. Monitor application logs and network traffic for unusual or suspicious activity related to SQL injection attempts. 5. Engage with the vendor Campcodes for official patches or updates and apply them promptly once available. 6. Conduct security assessments and code reviews of the Supplier Management System to identify and remediate other potential injection points. 7. Educate development and operations teams about secure coding practices and the risks of SQL injection vulnerabilities. 8. Consider isolating the affected system in a segmented network zone to limit potential lateral movement in case of compromise.