CVE-2025-7135 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability arises from improper sanitization of the 'ID' parameter in the /admin/ajax.php endpoint when the 'action=save_vacancy' request is processed. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require authentication, user interaction, or privileges, making it accessible to unauthenticated remote attackers. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector showing network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although the exploit has been publicly disclosed, there are no known exploits actively observed in the wild at this time. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been published yet. Given the nature of the vulnerability, successful exploitation could lead to unauthorized data disclosure, data modification, or potentially further compromise of the recruitment system's backend database, which may contain sensitive candidate and organizational data.

For European organizations using Campcodes Online Recruitment Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of recruitment data. Exploitation could lead to unauthorized access to personal data of job applicants, including sensitive personal information protected under GDPR, resulting in regulatory penalties and reputational damage. Additionally, attackers could manipulate or delete vacancy postings or other recruitment data, disrupting HR operations. The remote and unauthenticated nature of the attack increases the risk of widespread exploitation, especially in organizations that expose the administration interface to the internet without adequate network protections. Given the critical role recruitment systems play in workforce management, a successful attack could also indirectly impact availability if the system is rendered unstable or unusable. The lack of known active exploits currently reduces immediate risk, but public disclosure increases the likelihood of future exploitation attempts.

European organizations should immediately audit their use of Campcodes Online Recruitment Management System to identify any deployments of version 1.0. If found, they should isolate the affected systems from public internet access, especially the /admin/ajax.php endpoint, using network segmentation and firewall rules. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter can provide interim protection. Organizations should conduct thorough input validation and sanitization on all user-supplied parameters, particularly in administrative interfaces. Until an official patch is released, consider disabling or restricting access to the vulnerable functionality if feasible. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Additionally, organizations should prepare for incident response by backing up recruitment data securely and verifying the integrity of their databases. Engaging with the vendor for updates and patches is critical, and applying any future security updates promptly is essential to mitigate this vulnerability.