CVE-2025-4713 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System. The vulnerability arises from improper sanitization of the 'sid' parameter in the /pages/print.php script, which allows an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring authentication or user interaction, making it accessible to a wide range of threat actors. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is rated as low, suggesting that while the vulnerability can be exploited, the extent of damage or data exposure may be limited or requires additional conditions to escalate. The vulnerability affects only version 1.0 of the Campcodes Sales and Inventory System, a software product used for managing sales and inventory operations. The lack of available patches or mitigations at the time of disclosure increases the urgency for affected organizations to implement compensating controls.

For European organizations using Campcodes Sales and Inventory System 1.0, this vulnerability poses a risk of unauthorized data access or manipulation through SQL injection attacks. Potential impacts include unauthorized disclosure of sensitive sales or inventory data, data corruption, or disruption of business operations if the database integrity is compromised. Given the medium severity and the low impact ratings on confidentiality, integrity, and availability, the threat may not lead to catastrophic data breaches but could still result in operational disruptions or loss of trust. Organizations in sectors with stringent data protection regulations, such as GDPR, could face compliance issues if sensitive customer or business data is exposed. The remote and unauthenticated nature of the exploit increases the risk profile, especially for systems exposed to the internet or accessible via insecure networks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, particularly as public disclosure may prompt attackers to develop exploits.

1. Immediate mitigation should focus on restricting access to the /pages/print.php endpoint, ideally limiting it to trusted internal networks or VPN users only. 2. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'sid' parameter. 3. Conduct thorough input validation and sanitization on all parameters, especially 'sid', to ensure only expected data types and formats are accepted. 4. Monitor logs for unusual or suspicious SQL queries or access patterns related to the vulnerable endpoint. 5. Engage with the vendor Campcodes to obtain or request a security patch or updated version addressing this vulnerability. 6. If patching is not immediately possible, consider isolating the affected system or migrating critical functions to alternative platforms. 7. Educate IT and security teams about the vulnerability and ensure incident response plans are updated to detect and respond to potential exploitation attempts.