CVE-2025-7134 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability exists in the /admin/ajax.php endpoint, specifically when handling the 'delete_application' action. The flaw arises from improper sanitization or validation of the 'ID' parameter, which an attacker can manipulate to inject malicious SQL code. This injection can be executed remotely without requiring authentication or user interaction, making exploitation straightforward. The vulnerability allows an attacker to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or deletion. Although the CVSS 4.0 score is 6.9 (medium severity), the vector indicates no privileges or user interaction are needed, and the attack complexity is low, which elevates the risk. The vulnerability affects only version 1.0 of the product, and no official patches have been released yet. Public disclosure of the exploit code increases the likelihood of exploitation in the wild. Given the nature of the system—a recruitment management platform—sensitive personal data of applicants and organizational hiring information could be exposed or altered, impacting confidentiality and integrity. The vulnerability does not affect system availability directly but could be leveraged for denial-of-service through database corruption or resource exhaustion.

For European organizations using Campcodes Online Recruitment Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of applicant and HR data. Unauthorized access to recruitment data could lead to exposure of personally identifiable information (PII), violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Manipulation of recruitment records could disrupt hiring processes, causing operational delays and loss of trust. Since the vulnerability can be exploited remotely without authentication, attackers could target European companies' recruitment portals, especially those with public-facing admin interfaces. The absence of patches and the public availability of exploit code increase the urgency for mitigation. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within the organization. The impact is heightened for organizations in regulated industries or those handling sensitive candidate information.

1. Immediate mitigation should include restricting access to the /admin/ajax.php endpoint by implementing IP whitelisting or VPN-only access to administrative functions to reduce exposure. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in the delete_application action. 3. Conduct a thorough code review and implement parameterized queries or prepared statements to sanitize all inputs, especially the 'ID' parameter, to prevent SQL injection. 4. If possible, upgrade to a newer, patched version of the Campcodes system once available; if not, consider temporary replacement or isolation of the vulnerable system. 5. Monitor logs for suspicious activity related to the vulnerable endpoint, including unusual query patterns or repeated access attempts. 6. Educate IT and security teams about the vulnerability and ensure incident response plans include steps for SQL injection attacks. 7. Consider deploying database activity monitoring tools to detect anomalous queries indicative of exploitation attempts.