Skip to main content

CVE-2025-5077: SQL Injection in Campcodes Online Shopping Portal

Medium
VulnerabilityCVE-2025-5077cvecve-2025-5077
Published: Thu May 22 2025 (05/22/2025, 14:00:12 UTC)
Source: CVE
Vendor/Project: Campcodes
Product: Online Shopping Portal

Description

A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument Category leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/08/2025, 10:40:49 UTC

Technical Analysis

CVE-2025-5077 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Shopping Portal, specifically within the /admin/edit-subcategory.php file. The vulnerability arises from improper sanitization or validation of the 'Category' parameter, which can be manipulated remotely without authentication or user interaction. This allows an attacker to inject malicious SQL queries into the backend database. The vulnerability is classified with a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no scope change (SI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), suggesting that while the vulnerability can be exploited remotely, the potential damage to data confidentiality, integrity, and system availability is limited but still significant. The lack of authentication requirements and the remote exploitability make this vulnerability a concern for organizations using this software. However, there are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability disclosure is public, which increases the risk of exploitation by malicious actors. The vulnerability affects only version 1.0 of the product, implying that newer versions may have addressed this issue or that the product is relatively new or niche.

Potential Impact

For European organizations using Campcodes Online Shopping Portal 1.0, this vulnerability poses a risk of unauthorized data access or manipulation through SQL Injection attacks. Attackers could potentially extract sensitive customer data, modify product categories, or disrupt the integrity of the shopping portal's database. This could lead to data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial losses. Given the portal's role in e-commerce, availability impacts could also affect business continuity and revenue. Although the CVSS score suggests medium severity, the ease of remote exploitation without authentication elevates the threat level. Organizations in Europe must consider the legal and reputational consequences of a breach, especially under stringent data protection laws. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure means attackers could develop exploits rapidly.

Mitigation Recommendations

European organizations should immediately audit their use of Campcodes Online Shopping Portal and identify any installations running version 1.0. Since no official patches are available, organizations should implement compensating controls such as: 1) Restricting access to the /admin/edit-subcategory.php endpoint via network-level controls (e.g., IP whitelisting, VPN access only). 2) Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL Injection patterns targeting the 'Category' parameter. 3) Conducting thorough input validation and sanitization at the application layer if custom modifications are possible. 4) Monitoring logs for suspicious activity related to SQL Injection attempts. 5) Planning for an upgrade to a patched or newer version of the software once available. 6) Educating administrative users about the risk and enforcing strong authentication and least privilege principles to reduce attack surface. These steps will help mitigate risk until an official patch is released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-22T05:36:52.861Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682f2fb50acd01a24925c8c9

Added to database: 5/22/2025, 2:07:49 PM

Last enriched: 7/8/2025, 10:40:49 AM

Last updated: 7/30/2025, 4:09:01 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats