CVE-2025-7537

| EUVD-2025-21267 HIGH
2025-07-13 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21267
PoC Detected
Jul 16, 2025 - 14:54 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 19:15 nvd
HIGH 7.3

Tags

PHP SQLi Sales And Inventory System

Description

A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/product_update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7537 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/product_update.php file. An unauthenticated remote attacker can manipulate the 'ID' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation indicators suggest immediate remediation is warranted.

Technical Context

The vulnerability exists in a PHP-based web application (Campcodes Sales and Inventory System) that fails to properly sanitize or parameterize user input in the ID parameter passed to product_update.php. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output) / SQL Injection scenario where untrusted input is directly concatenated into SQL queries without prepared statements or proper escaping. The affected file processes product update requests, likely querying a backend database (MySQL/MariaDB typical in PHP applications) using dynamically constructed queries. The lack of input validation allows attackers to break out of the intended SQL syntax and inject malicious SQL commands.

Affected Products

Campcodes Sales and Inventory System version 1.0 is the sole confirmed affected product. No CPE string provided in original data, but typical CPE would be: cpe:2.3:a:campcodes:sales_and_inventory_system:1.0:*:*:*:*:*:*:*. The vulnerability specifically impacts the /pages/product_update.php endpoint. No information on whether later versions (1.1+) or other Campcodes products are affected. Vendor advisory information is not included in available references.

Remediation

Immediate actions: (1) Update Campcodes Sales and Inventory System to a patched version if available from the vendor (check vendor website for version 1.1 or later security releases); (2) If no patch exists, implement immediate compensating controls: apply Web Application Firewall (WAF) rules to block SQL injection patterns in the ID parameter (regex: detect quotes, SQL keywords like UNION, OR, semicolons); (3) Enforce prepared statements/parameterized queries in product_update.php code; (4) Implement input validation whitelisting for ID parameter (numeric-only if IDs are integers); (5) Apply principle of least privilege to database user accounts (read-only where possible); (6) Enable comprehensive SQL error logging and monitoring. Contact Campcodes support directly for vendor-specific patch availability and timeline.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-7537 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy