CVE-2025-13410 identifies a SQL injection vulnerability in the Campcodes Retro Basketball Shoes Online Store version 1.0. The vulnerability resides in the /admin/receipt.php file, where the 'tid' parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This flaw enables remote attackers to manipulate backend database queries without requiring authentication or user interaction, potentially exposing sensitive data or altering database contents. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no active exploits have been reported yet. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The absence of scope change (S:U) means the vulnerability affects the same security scope. This vulnerability is critical for e-commerce platforms as it can lead to data breaches, financial fraud, or disruption of services. The lack of available patches necessitates immediate mitigation through secure coding practices and input validation. Organizations should audit their installations of this product and monitor for suspicious activity related to the 'tid' parameter in administrative interfaces.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to customer data, including personal and payment information, resulting in privacy violations and regulatory non-compliance (e.g., GDPR). Data integrity could be compromised by unauthorized modification or deletion of records, potentially disrupting order processing and financial reporting. Availability impacts may arise if attackers manipulate database queries to cause application crashes or denial of service. The public disclosure of the vulnerability increases the likelihood of attempted exploitation, especially targeting online stores with weak security controls. Given the e-commerce nature of the affected product, organizations could suffer reputational damage, financial losses, and legal consequences. The medium severity rating suggests a significant but not catastrophic risk, emphasizing the need for timely remediation to prevent escalation or chaining with other vulnerabilities.

Organizations using Campcodes Retro Basketball Shoes Online Store 1.0 should immediately conduct a security review of the /admin/receipt.php endpoint, focusing on the 'tid' parameter. Developers must implement parameterized queries or prepared statements to prevent SQL injection. Input validation should be enforced to accept only expected data types and formats for 'tid'. Web Application Firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this parameter. Monitoring and logging of database queries and administrative access should be enhanced to detect suspicious activities. Since no official patch is currently available, consider isolating or restricting access to the admin interface to trusted IPs or VPNs. Regular backups of the database should be maintained to enable recovery in case of data tampering. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once released.