CVE-2025-7135 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability arises from improper sanitization of the 'ID' parameter in the /admin/ajax.php endpoint when the action parameter is set to 'save_vacancy'. This flaw allows an unauthenticated remote attacker to inject malicious SQL code directly into the backend database queries. Exploiting this vulnerability could enable attackers to manipulate database queries, potentially leading to unauthorized data disclosure, data modification, or deletion, and in some cases, full system compromise depending on the database privileges. The vulnerability does not require any authentication or user interaction, making it highly accessible for exploitation. Although the CVSS v4.0 score is 6.9 (medium severity), the nature of SQL injection vulnerabilities typically poses significant risks, especially in systems managing sensitive recruitment data such as personal identifiable information (PII) of candidates and organizational hiring details. No patches have been officially released yet, and while no known exploits are currently reported in the wild, public disclosure of the exploit code increases the risk of imminent attacks. The vulnerability affects only version 1.0 of the product, which may be in use by organizations that have not updated or migrated to newer versions or alternative solutions.

For European organizations using Campcodes Online Recruitment Management System version 1.0, this vulnerability presents a substantial risk to confidentiality, integrity, and availability of recruitment data. Attackers exploiting this flaw could access sensitive candidate information, including personal data protected under GDPR, leading to regulatory non-compliance and potential fines. Integrity of recruitment records could be compromised, affecting hiring decisions and organizational trust. Availability of the recruitment platform could also be disrupted, impacting HR operations and business continuity. Given the remote and unauthenticated nature of the exploit, attackers could target multiple organizations en masse. The reputational damage and operational disruption could be significant, especially for large enterprises and public sector entities heavily reliant on digital recruitment processes.

Immediate mitigation steps include implementing web application firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the /admin/ajax.php?action=save_vacancy endpoint. Organizations should conduct a thorough audit of their Campcodes deployment to identify affected versions and restrict access to the administration interface via network segmentation and IP whitelisting. Input validation and parameterized queries should be enforced in the application code; however, since no official patch is available, organizations may need to apply temporary code-level fixes or disable the vulnerable functionality if feasible. Monitoring logs for suspicious activity related to the 'ID' parameter and unusual database queries is critical. Organizations should also prepare for rapid patch deployment once an official fix is released and consider migrating to alternative recruitment management systems with better security track records if timely remediation is not possible.