CVE-2025-7120 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Complaint Management System. The flaw exists in the /users/check_availability.php script, specifically in the handling of the 'email' parameter. An attacker can remotely manipulate this parameter without authentication or user interaction to inject malicious SQL code. This injection can lead to unauthorized access or modification of the backend database, potentially exposing sensitive complaint data or allowing further compromise of the system. The vulnerability is exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has low complexity (AC:L). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). Although no known exploits are currently in the wild, the public disclosure increases the risk of exploitation. The CVSS 4.0 base score is 6.9, categorized as medium severity. The absence of patches or mitigations from the vendor at this time increases the urgency for organizations to implement protective measures. Given the nature of complaint management systems, which often handle personal and sensitive information, exploitation could lead to data breaches, reputational damage, and regulatory non-compliance.

For European organizations using Campcodes Complaint Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of complaint data, which may include personal data protected under GDPR. Successful exploitation could result in unauthorized data disclosure, data tampering, or denial of service, impacting customer trust and potentially leading to regulatory penalties. The remote, unauthenticated nature of the exploit increases the attack surface, especially for externally accessible complaint management portals. This could disrupt customer service operations and damage organizational reputation. Additionally, compromised systems could be leveraged as pivot points for further attacks within the network. Given the criticality of complaint handling in sectors like public services, healthcare, and finance, the impact could be severe if exploited.

1. Immediate implementation of web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'email' parameter in /users/check_availability.php. 2. Conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize the 'email' input, eliminating direct SQL concatenation. 3. Restrict database user permissions to the minimum necessary to limit the impact of any injection. 4. Monitor logs for unusual query patterns or repeated access to the vulnerable endpoint. 5. Isolate the complaint management system from critical internal networks to contain potential breaches. 6. Engage with the vendor for official patches or updates and plan for an immediate upgrade once available. 7. Perform penetration testing focused on injection vectors to verify the effectiveness of mitigations. 8. Educate IT and security teams about the vulnerability and ensure incident response plans include scenarios involving SQL injection attacks.