Which versions of PHP are affected by CVE-2025-7537?

A SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 allows remote attackers to compromise database integrity and extract sensitive business data without authentication.

Is there a public PoC exploit available for CVE-2025-7537?

Yes, a public proof-of-concept exploit is available for CVE-2025-7537. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-7537?

Within 24 hours: Identify all instances of Campcodes Sales and Inventory System 1.0 in your environment and isolate affected systems from production networks if possible. Within 7 days: Implement WAF rules to block malicious SQL injection patterns targeting /pages/product_update.php and the ID parameter, restrict network access to the application to authorized users only, and conduct database access log review for signs of compromise. Within 30 days: Evaluate alternative inventory management solutions, plan migration away from this unsupported system, contact vendor for patch availability, or consider decommissioning the application.

PHP CVE-2025-7537

Q: What is the CVSS score of CVE-2025-7537?

CVE-2025-7537 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-21267 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-13 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 16, 2026 - 09:18 euvd

EUVD-2025-21267

Analysis Generated

Mar 16, 2026 - 09:18 vuln.today

PoC Detected

Jul 16, 2025 - 14:54 vuln.today

Public exploit code

CVE Published

Jul 13, 2025 - 19:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/product_update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7537 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/product_update.php file. An unauthenticated remote attacker can manipulate the 'ID' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation indicators suggest immediate remediation is warranted.

Technical ContextAI

The vulnerability exists in a PHP-based web application (Campcodes Sales and Inventory System) that fails to properly sanitize or parameterize user input in the ID parameter passed to product_update.php. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output) / SQL Injection scenario where untrusted input is directly concatenated into SQL queries without prepared statements or proper escaping. The affected file processes product update requests, likely querying a backend database (MySQL/MariaDB typical in PHP applications) using dynamically constructed queries. The lack of input validation allows attackers to break out of the intended SQL syntax and inject malicious SQL commands.

RemediationAI

Immediate actions: (1) Update Campcodes Sales and Inventory System to a patched version if available from the vendor (check vendor website for version 1.1 or later security releases); (2) If no patch exists, implement immediate compensating controls: apply Web Application Firewall (WAF) rules to block SQL injection patterns in the ID parameter (regex: detect quotes, SQL keywords like UNION, OR, semicolons); (3) Enforce prepared statements/parameterized queries in product_update.php code; (4) Implement input validation whitelisting for ID parameter (numeric-only if IDs are integers); (5) Apply principle of least privilege to database user accounts (read-only where possible); (6) Enable comprehensive SQL error logging and monitoring. Contact Campcodes support directly for vendor-specific patch availability and timeline.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-7537 vulnerability details – vuln.today

Back

PHP CVE-2025-7537

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code