CVE-2025-13410 identifies a SQL injection vulnerability in the Campcodes Retro Basketball Shoes Online Store version 1.0. The flaw exists in the /admin/receipt.php file where the tid parameter is improperly sanitized, allowing attackers to inject malicious SQL code remotely without requiring authentication or user interaction. This vulnerability enables attackers to manipulate backend SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability affects the confidentiality, integrity, and availability of the database, although the impact is considered limited (VC:L/VI:L/VA:L). The CVSS 4.0 vector indicates no privileges or user interaction are needed, and the attack complexity is low, making exploitation feasible. While no known exploits have been observed in the wild yet, the public disclosure of the exploit increases the risk of imminent attacks. The absence of vendor patches necessitates immediate mitigation efforts by users of this software. The vulnerability is typical of improper input validation and lack of parameterized queries in web applications, emphasizing the need for secure coding practices in e-commerce platforms.

The SQL injection vulnerability could allow attackers to access sensitive customer information, including personal and payment data, stored in the backend database. Attackers might also alter or delete transaction records, leading to financial discrepancies and loss of data integrity. Additionally, attackers could disrupt the availability of the online store by executing destructive SQL commands, causing downtime and loss of revenue. For organizations, this can result in reputational damage, regulatory penalties related to data protection laws, and increased operational costs due to incident response and remediation. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, affecting any deployment of the vulnerable software accessible over the internet. The medium severity rating reflects the partial but significant impact on confidentiality, integrity, and availability, combined with ease of exploitation.

Organizations should immediately audit the /admin/receipt.php file and sanitize the tid parameter to prevent SQL injection. Implementing prepared statements or parameterized queries is critical to eliminate injection vectors. If available, apply official patches or updates from Campcodes promptly. In the absence of vendor patches, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the tid parameter. Conduct thorough code reviews across the application to identify and remediate similar injection flaws. Regularly monitor logs for suspicious query patterns or repeated access attempts to /admin/receipt.php. Restrict administrative interface access via IP whitelisting or VPN to reduce exposure. Finally, ensure backups of critical data are current and tested to enable recovery in case of data corruption or loss.