CVE-2025-7469

| EUVD-2025-21216 HIGH
2025-07-12 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2025-21216
PoC Detected
Jul 15, 2025 - 15:32 vuln.today
Public exploit code
CVE Published
Jul 12, 2025 - 11:15 nvd
HIGH 7.3

Tags

PHP SQLi Sales And Inventory System

Description

A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. This issue affects some unknown processing of the file /pages/product_add.php. The manipulation of the argument prod_name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7469 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the product addition functionality (/pages/product_add.php). An unauthenticated remote attacker can manipulate the 'prod_name' parameter to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely in the near term.

Technical Context

The vulnerability exists in a PHP-based web application (Campcodes Sales and Inventory System) that processes user-supplied input without proper sanitization or parameterized query usage. The affected endpoint (/pages/product_add.php) likely constructs dynamic SQL queries by directly concatenating user input from the 'prod_name' parameter into SQL statements. This violates CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') and relates to broader SQL injection patterns (CWE-89). The root cause is insufficient input validation and lack of prepared statements or parameterized queries. The application likely uses PHP with MySQL/MariaDB backend based on typical small business inventory system architecture.

Affected Products

Campcodes Sales and Inventory System version 1.0 (all instances) - CPE would be: cpe:2.3:a:campcodes:sales_and_inventory_system:1.0:*:*:*:*:*:*:*. The vendor 'Campcodes' and product 'Sales and Inventory System' appear to be a small-scale business management tool, likely self-hosted on shared hosting or internal servers. No specific CVE references to vendor advisories or official patches were provided in the source data, suggesting this may be an open-source or less-maintained project without formal vendor response infrastructure.

Remediation

Immediate remediation steps: (1) Upgrade Campcodes Sales and Inventory System to version 1.1 or later if available (verify vendor release notes for patch availability - not provided in base data), (2) If no patch exists, implement input validation by whitelisting allowed characters in prod_name (alphanumeric, spaces, hyphens only) and reject special SQL characters (quotes, semicolons, dashes, asterisks), (3) Refactor /pages/product_add.php to use prepared statements with parameterized queries (mysqli_prepare() or PDO with bound parameters) instead of string concatenation, (4) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in prod_name parameter, (5) Apply principle of least privilege - ensure database user account used by application has minimal permissions (INSERT/SELECT only, no DROP/ALTER), (6) Conduct code audit of all other input-handling PHP files for similar injection vulnerabilities. Contact Campcodes support/repository for official patch status.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2025-7469 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy