CVE-2025-5077 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Shopping Portal, specifically within the /admin/edit-subcategory.php file. The vulnerability arises from improper sanitization or validation of the 'Category' parameter, which can be manipulated remotely without authentication or user interaction. This allows an attacker to inject malicious SQL queries into the backend database. The vulnerability is classified with a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no scope change (SI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), suggesting that while the vulnerability can be exploited remotely, the potential damage to data confidentiality, integrity, and system availability is limited but still significant. The lack of authentication requirements and the remote exploitability make this vulnerability a concern for organizations using this software. However, there are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability disclosure is public, which increases the risk of exploitation by malicious actors. The vulnerability affects only version 1.0 of the product, implying that newer versions may have addressed this issue or that the product is relatively new or niche.

For European organizations using Campcodes Online Shopping Portal 1.0, this vulnerability poses a risk of unauthorized data access or manipulation through SQL Injection attacks. Attackers could potentially extract sensitive customer data, modify product categories, or disrupt the integrity of the shopping portal's database. This could lead to data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial losses. Given the portal's role in e-commerce, availability impacts could also affect business continuity and revenue. Although the CVSS score suggests medium severity, the ease of remote exploitation without authentication elevates the threat level. Organizations in Europe must consider the legal and reputational consequences of a breach, especially under stringent data protection laws. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure means attackers could develop exploits rapidly.

European organizations should immediately audit their use of Campcodes Online Shopping Portal and identify any installations running version 1.0. Since no official patches are available, organizations should implement compensating controls such as: 1) Restricting access to the /admin/edit-subcategory.php endpoint via network-level controls (e.g., IP whitelisting, VPN access only). 2) Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL Injection patterns targeting the 'Category' parameter. 3) Conducting thorough input validation and sanitization at the application layer if custom modifications are possible. 4) Monitoring logs for suspicious activity related to SQL Injection attempts. 5) Planning for an upgrade to a patched or newer version of the software once available. 6) Educating administrative users about the risk and enforcing strong authentication and least privilege principles to reduce attack surface. These steps will help mitigate risk until an official patch is released.