CVE-2025-4806 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester/oretnom23 Stock Management System. The vulnerability exists in the web application's administrative interface, specifically in the /admin/?page=back_order/view_bo endpoint. The issue arises from improper sanitization or validation of the 'ID' parameter, which allows an attacker to inject malicious SQL code. This flaw can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability has been publicly disclosed, although no known exploits are currently reported in the wild. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges (authenticated user) to exploit. The vulnerability could allow an attacker with some level of access (likely a low-privilege authenticated user) to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or disruption of stock management operations. Given the nature of stock management systems, this could impact inventory accuracy, financial reporting, and operational continuity. The absence of patches or mitigation links suggests that organizations using this software version must proactively implement protective measures. The vulnerability's exploitation scope is limited to installations running version 1.0 of this specific stock management system, which may be used by small to medium enterprises for inventory control and order management.

For European organizations, the impact of CVE-2025-4806 depends on the adoption of the SourceCodester Stock Management System version 1.0. If deployed, the SQL Injection vulnerability could lead to unauthorized disclosure or alteration of sensitive inventory data, affecting supply chain integrity and financial accuracy. This may disrupt business operations, cause compliance issues with data protection regulations such as GDPR, and damage customer trust. The ability to exploit the vulnerability remotely with low privileges increases risk, especially if internal access controls are weak. Organizations in sectors relying heavily on inventory management—such as retail, manufacturing, and logistics—may face operational downtime or financial losses. Additionally, attackers could leverage the vulnerability as a foothold for further network compromise. However, the medium severity and requirement for some level of authentication limit the threat to environments where the attacker can obtain or already has low-level credentials. The lack of known active exploits reduces immediate risk but does not eliminate potential future exploitation.

1. Immediate mitigation should include restricting access to the administrative interface (/admin/) to trusted IP addresses or VPN-only access to reduce exposure. 2. Implement strict input validation and parameterized queries or prepared statements in the affected code to prevent SQL injection. Since no official patches are currently available, organizations should review and sanitize the 'ID' parameter handling in the /admin/?page=back_order/view_bo endpoint. 3. Enforce strong authentication and least privilege principles to limit the ability of low-privilege users to access sensitive administrative functions. 4. Monitor logs for unusual database query patterns or repeated failed attempts to exploit the 'ID' parameter. 5. Consider deploying Web Application Firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. 6. Plan for an upgrade or migration to a patched or alternative stock management system version once available. 7. Conduct regular security assessments and code reviews of custom or third-party applications to identify and remediate injection flaws proactively.