CVE-2025-7120 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Complaint Management System. The vulnerability resides in the /users/check_availability.php file, specifically in the handling of the 'email' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the system executes without proper sanitization or parameterization. This flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability could enable attackers to extract sensitive data, modify or delete records, or potentially escalate privileges within the application or underlying database. Although the CVSS 4.0 base score is 6.9 (medium severity), the lack of authentication and user interaction requirements, combined with the direct impact on data confidentiality, integrity, and availability, make this a significant risk. The vulnerability affects only version 1.0 of the product, and no official patches or fixes have been published yet. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.

For European organizations using Campcodes Complaint Management System 1.0, this vulnerability poses a substantial risk to the confidentiality and integrity of complaint data, which often contains personally identifiable information (PII) and sensitive customer feedback. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, undermining trust and potentially violating GDPR requirements regarding data protection and breach notification. Organizations relying on this system for customer service or regulatory compliance could face operational disruptions and reputational damage. The remote and unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to target these systems from anywhere. Given the criticality of complaint management in sectors such as finance, healthcare, and public services, the impact could extend to regulatory penalties and loss of customer confidence.

Immediate mitigation steps include implementing input validation and sanitization on the 'email' parameter in /users/check_availability.php to prevent SQL injection. Employing prepared statements or parameterized queries is essential to eliminate injection vectors. Organizations should conduct a thorough code review of the affected module and related components to identify and remediate similar vulnerabilities. If possible, isolate the affected system from external networks or restrict access via firewall rules until a patch is available. Monitoring logs for suspicious query patterns or unusual database activity can help detect exploitation attempts early. Given the absence of an official patch, organizations should consider upgrading to a newer, secure version of the Campcodes system if available or applying vendor-provided workarounds. Additionally, ensure regular backups of complaint data to enable recovery in case of data corruption or loss. Finally, organizations should prepare incident response plans tailored to SQL injection attacks and train staff accordingly.