EUVD-2025-21216Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. This issue affects some unknown processing of the file /pages/product_add.php. The manipulation of the argument prod_name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7469 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the product addition functionality (/pages/product_add.php). An unauthenticated remote attacker can manipulate the 'prod_name' parameter to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely in the near term.
Technical ContextAI
The vulnerability exists in a PHP-based web application (Campcodes Sales and Inventory System) that processes user-supplied input without proper sanitization or parameterized query usage. The affected endpoint (/pages/product_add.php) likely constructs dynamic SQL queries by directly concatenating user input from the 'prod_name' parameter into SQL statements. This violates CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') and relates to broader SQL injection patterns (CWE-89). The root cause is insufficient input validation and lack of prepared statements or parameterized queries. The application likely uses PHP with MySQL/MariaDB backend based on typical small business inventory system architecture.
RemediationAI
Immediate remediation steps: (1) Upgrade Campcodes Sales and Inventory System to version 1.1 or later if available (verify vendor release notes for patch availability - not provided in base data), (2) If no patch exists, implement input validation by whitelisting allowed characters in prod_name (alphanumeric, spaces, hyphens only) and reject special SQL characters (quotes, semicolons, dashes, asterisks), (3) Refactor /pages/product_add.php to use prepared statements with parameterized queries (mysqli_prepare() or PDO with bound parameters) instead of string concatenation, (4) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in prod_name parameter, (5) Apply principle of least privilege - ensure database user account used by application has minimal permissions (INSERT/SELECT only, no DROP/ALTER), (6) Conduct code audit of all other input-handling PHP files for similar injection vulnerabilities. Contact Campcodes support/repository for official patch status.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today