CVE-2025-5677 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability specifically arises from improper sanitization of the 'position_id' parameter in the /admin/ajax.php endpoint when the action parameter is set to 'save_application'. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or manipulation of the underlying database. The vulnerability does not require authentication, user interaction, or privileges, making it remotely exploitable over the network. Although the CVSS 4.0 score is 6.9 (medium severity), the impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant risk depending on the database content and system usage. The vulnerability affects only version 1.0 of the product, and no official patches or fixes have been published yet. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation attempts. The lack of secure coding practices in input validation and parameter handling is the root cause of this issue.

For European organizations using Campcodes Online Recruitment Management System version 1.0, this vulnerability poses a risk of unauthorized data access or modification within the recruitment management database. This could lead to exposure of sensitive candidate information, manipulation of recruitment data, or disruption of recruitment workflows. Given the nature of recruitment systems, confidentiality breaches could violate GDPR regulations, resulting in legal and financial penalties. Integrity compromises could undermine hiring decisions or operational trust. Availability impacts are less likely but possible if the database is corrupted or commands are injected to disrupt service. The medium severity rating suggests that while exploitation is feasible, the overall damage depends on the specific deployment and data sensitivity. Organizations relying on this system for critical HR functions should consider the risk significant due to potential regulatory and reputational consequences.

1. Immediate mitigation should include restricting access to the /admin/ajax.php endpoint to trusted IP addresses or VPNs to reduce exposure. 2. Implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'position_id' parameter. 3. Conduct input validation and sanitization on all parameters, especially 'position_id', using parameterized queries or prepared statements to prevent injection. 4. Monitor logs for suspicious activity related to the vulnerable endpoint. 5. Engage with the vendor to obtain patches or updates; if unavailable, consider upgrading to a newer, secure version or migrating to alternative recruitment management solutions. 6. Perform regular security assessments and penetration testing focused on injection vulnerabilities. 7. Educate administrators on the risks and signs of exploitation attempts. 8. Ensure backups of recruitment data are maintained securely to enable recovery in case of compromise.