CVE-2025-14529 identifies a SQL injection vulnerability in the Campcodes Retro Basketball Shoes Online Store version 1.0, located in the /admin/admin_running.php file. The vulnerability arises from improper sanitization of the 'pid' parameter, which is used in SQL queries without adequate validation or parameterization. An attacker can remotely exploit this flaw without requiring authentication or user interaction, by sending crafted requests that manipulate the SQL query logic. This can lead to unauthorized access to the backend database, allowing attackers to read, modify, or delete sensitive data, potentially affecting confidentiality, integrity, and availability of the system. The CVSS 4.0 score of 6.9 (medium severity) reflects the network attack vector, low complexity, and no required privileges or user interaction, but limited impact scope. No patches or vendor advisories are currently available, and no known exploits have been observed in the wild, though a public exploit has been published, increasing the risk of exploitation. The vulnerability primarily threatens the administrative interface, which may contain sensitive business and customer data. Exploitation could lead to data leakage, unauthorized transactions, or disruption of e-commerce operations. Given the nature of the vulnerability, attackers could automate exploitation attempts, increasing the risk to organizations using this software. The lack of authentication requirement and remote exploitability make this a significant concern for online retailers using this platform.

For European organizations using the Campcodes Retro Basketball Shoes Online Store version 1.0, this vulnerability poses a risk of unauthorized data access and manipulation, potentially leading to customer data breaches, financial fraud, and reputational damage. The SQL injection could allow attackers to extract sensitive customer information, including payment details, or alter product and order data, disrupting business operations. This could result in regulatory non-compliance, especially under GDPR, with potential fines and legal consequences. The availability of the online store could also be impacted if attackers delete or corrupt database records, causing downtime and loss of sales. The medium severity rating suggests moderate impact, but the ease of remote exploitation without authentication increases the likelihood of attacks. European e-commerce businesses relying on this platform must consider the threat significant, particularly those handling large volumes of personal and payment data. The exposure of administrative functions increases the risk of broader system compromise, potentially affecting connected systems and supply chains.

Organizations should immediately audit their use of Campcodes Retro Basketball Shoes Online Store version 1.0 and restrict access to the /admin/admin_running.php interface to trusted IP addresses or VPNs. Implement input validation and sanitization for the 'pid' parameter, replacing vulnerable code with parameterized queries or prepared statements to prevent SQL injection. If possible, upgrade to a patched version once available or apply vendor-provided fixes. Employ web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the vulnerable parameter. Conduct thorough security testing, including automated vulnerability scans and manual code reviews, focusing on all input handling in the admin interface. Monitor logs for suspicious activity related to the 'pid' parameter and unusual database queries. Educate developers on secure coding practices to prevent similar vulnerabilities. Finally, ensure regular backups of databases to enable recovery in case of data corruption or deletion caused by exploitation.