CVE-2025-5077: SQL Injection in Campcodes Online Shopping Portal
A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument Category leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-5077 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Shopping Portal, specifically within the /admin/edit-subcategory.php file. The vulnerability arises from improper sanitization or validation of the 'Category' parameter, which can be manipulated remotely without authentication or user interaction. This allows an attacker to inject malicious SQL queries into the backend database. The vulnerability is classified with a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no scope change (SI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), suggesting that while the vulnerability can be exploited remotely, the potential damage to data confidentiality, integrity, and system availability is limited but still significant. The lack of authentication requirements and the remote exploitability make this vulnerability a concern for organizations using this software. However, there are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability disclosure is public, which increases the risk of exploitation by malicious actors. The vulnerability affects only version 1.0 of the product, implying that newer versions may have addressed this issue or that the product is relatively new or niche.
Potential Impact
For European organizations using Campcodes Online Shopping Portal 1.0, this vulnerability poses a risk of unauthorized data access or manipulation through SQL Injection attacks. Attackers could potentially extract sensitive customer data, modify product categories, or disrupt the integrity of the shopping portal's database. This could lead to data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial losses. Given the portal's role in e-commerce, availability impacts could also affect business continuity and revenue. Although the CVSS score suggests medium severity, the ease of remote exploitation without authentication elevates the threat level. Organizations in Europe must consider the legal and reputational consequences of a breach, especially under stringent data protection laws. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure means attackers could develop exploits rapidly.
Mitigation Recommendations
European organizations should immediately audit their use of Campcodes Online Shopping Portal and identify any installations running version 1.0. Since no official patches are available, organizations should implement compensating controls such as: 1) Restricting access to the /admin/edit-subcategory.php endpoint via network-level controls (e.g., IP whitelisting, VPN access only). 2) Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL Injection patterns targeting the 'Category' parameter. 3) Conducting thorough input validation and sanitization at the application layer if custom modifications are possible. 4) Monitoring logs for suspicious activity related to SQL Injection attempts. 5) Planning for an upgrade to a patched or newer version of the software once available. 6) Educating administrative users about the risk and enforcing strong authentication and least privilege principles to reduce attack surface. These steps will help mitigate risk until an official patch is released.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2025-5077: SQL Injection in Campcodes Online Shopping Portal
Description
A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument Category leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-5077 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Shopping Portal, specifically within the /admin/edit-subcategory.php file. The vulnerability arises from improper sanitization or validation of the 'Category' parameter, which can be manipulated remotely without authentication or user interaction. This allows an attacker to inject malicious SQL queries into the backend database. The vulnerability is classified with a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no scope change (SI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), suggesting that while the vulnerability can be exploited remotely, the potential damage to data confidentiality, integrity, and system availability is limited but still significant. The lack of authentication requirements and the remote exploitability make this vulnerability a concern for organizations using this software. However, there are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability disclosure is public, which increases the risk of exploitation by malicious actors. The vulnerability affects only version 1.0 of the product, implying that newer versions may have addressed this issue or that the product is relatively new or niche.
Potential Impact
For European organizations using Campcodes Online Shopping Portal 1.0, this vulnerability poses a risk of unauthorized data access or manipulation through SQL Injection attacks. Attackers could potentially extract sensitive customer data, modify product categories, or disrupt the integrity of the shopping portal's database. This could lead to data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial losses. Given the portal's role in e-commerce, availability impacts could also affect business continuity and revenue. Although the CVSS score suggests medium severity, the ease of remote exploitation without authentication elevates the threat level. Organizations in Europe must consider the legal and reputational consequences of a breach, especially under stringent data protection laws. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure means attackers could develop exploits rapidly.
Mitigation Recommendations
European organizations should immediately audit their use of Campcodes Online Shopping Portal and identify any installations running version 1.0. Since no official patches are available, organizations should implement compensating controls such as: 1) Restricting access to the /admin/edit-subcategory.php endpoint via network-level controls (e.g., IP whitelisting, VPN access only). 2) Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL Injection patterns targeting the 'Category' parameter. 3) Conducting thorough input validation and sanitization at the application layer if custom modifications are possible. 4) Monitoring logs for suspicious activity related to SQL Injection attempts. 5) Planning for an upgrade to a patched or newer version of the software once available. 6) Educating administrative users about the risk and enforcing strong authentication and least privilege principles to reduce attack surface. These steps will help mitigate risk until an official patch is released.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-05-22T05:36:52.861Z
- Cisa Enriched
- false
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682f2fb50acd01a24925c8c9
Added to database: 5/22/2025, 2:07:49 PM
Last enriched: 7/8/2025, 10:40:49 AM
Last updated: 7/30/2025, 4:09:01 PM
Views: 14
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.