CVE-2025-4719 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System. The vulnerability exists in the /pages/cash_transaction.php file, specifically through the manipulation of the 'cid' parameter. An attacker can remotely exploit this flaw without any authentication or user interaction, by injecting malicious SQL code into the 'cid' argument. This can lead to unauthorized access or modification of the backend database, potentially exposing sensitive sales and inventory data, corrupting records, or even enabling further compromise of the system. The CVSS 4.0 base score is 6.9, indicating a medium severity level, primarily due to limited impact on confidentiality, integrity, and availability (all rated low), but with ease of exploitation (no privileges or user interaction required). Although no public exploits have been observed in the wild yet, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the threat. Given the nature of sales and inventory systems, the vulnerability could be leveraged to disrupt business operations, manipulate financial data, or facilitate fraud.

For European organizations using the Campcodes Sales and Inventory System 1.0, this vulnerability poses a significant risk to operational continuity and data integrity. Exploitation could lead to unauthorized data disclosure, including sensitive customer and transaction information, potentially violating GDPR requirements and resulting in regulatory penalties. Manipulation of inventory or sales data could disrupt supply chains, financial reporting, and decision-making processes. The remote and unauthenticated nature of the exploit increases the attack surface, especially for organizations exposing the affected system to the internet or internal networks with weak segmentation. The medium severity rating suggests that while the direct impact on confidentiality, integrity, and availability is limited, the broader business impact could be substantial, especially for SMEs relying heavily on this system for daily operations.

Organizations should immediately audit their deployment of the Campcodes Sales and Inventory System to identify affected instances running version 1.0. As no official patches are currently available, temporary mitigations include implementing strict input validation and sanitization on the 'cid' parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. Network segmentation should be enforced to limit access to the vulnerable system only to trusted internal users. Monitoring and logging of database queries and web requests related to /pages/cash_transaction.php should be enhanced to detect anomalous activities. Organizations should also consider migrating to a newer, patched version of the software once available or replacing the system with a more secure alternative. Additionally, regular backups of critical data should be maintained to enable recovery in case of data corruption or loss due to exploitation.