CVE-2025-4741 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically affecting the /pages/purchase_add.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without any authentication or user interaction, injecting crafted SQL commands that the backend database executes. This can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system's data. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with attack vector being network-based, no privileges or user interaction required, and low complexity. The impact on confidentiality, integrity, and availability is limited but present. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation by threat actors. The lack of available patches or mitigation guidance from the vendor further exacerbates the risk for organizations using this software version.

For European organizations utilizing Campcodes Sales and Inventory System 1.0, this vulnerability poses a significant risk to business operations and data security. Exploitation could lead to unauthorized access to sensitive sales and inventory data, potentially exposing customer information, pricing details, and stock levels. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. The integrity of inventory records may be compromised, leading to operational disruptions such as incorrect stock management or fraudulent transactions. Availability impacts may arise if attackers manipulate or delete critical data, causing system downtime or degraded performance. Given the remote exploitation capability without authentication, attackers could target these systems en masse, increasing the threat landscape for affected European enterprises.

Organizations should immediately conduct an audit to identify any deployments of Campcodes Sales and Inventory System version 1.0. In the absence of an official patch, implement the following mitigations: 1) Apply strict input validation and parameterized queries or prepared statements in the /pages/purchase_add.php script to sanitize the 'ID' parameter and prevent SQL injection. 2) Employ Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns targeting the vulnerable endpoint. 3) Restrict network access to the application server by limiting exposure to trusted IP addresses and enforcing VPN or zero-trust network access controls. 4) Monitor logs for suspicious database queries or unusual activity around the purchase_add.php page. 5) Plan for an upgrade or migration to a patched or newer version of the software once available. 6) Conduct regular security assessments and penetration testing focused on injection flaws to proactively identify similar vulnerabilities.