How to fix EUVD-2025-18723?

Within 24 hours: Isolate affected Campcodes instances from production networks or restrict network access to trusted users only; audit database access logs for suspicious activity. Within 7 days: Contact Campcodes for patch status and timeline; implement WAF rules to block SQL injection payloads targeting /pages/cash_transaction.php; conduct database integrity audit. Within 30 days: Deploy patched version or migrate to alternative inventory system; perform penetration testing to validate remediation.

Is PHP affected by EUVD-2025-18723?

A publicly disclosed SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 allows remote attackers to compromise database integrity and potentially access sensitive business data without authentication.

EUVD-2025-18723

| CVE-2025-6312 HIGH

2025-06-20 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18723

PoC Detected

Jul 11, 2025 - 15:50 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 06:15 nvd

HIGH 7.3

Description

A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. This vulnerability affects unknown code of the file /pages/cash_transaction.php. The manipulation of the argument cid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6312 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/cash_transaction.php file where the 'cid' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploitation details available, making it actively exploitable in the wild.

Technical Context

This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as SQL injection (a subset of injection attacks). The affected application is Campcodes Sales and Inventory System 1.0, a web-based inventory management platform written in PHP. The vulnerability exists in the cash_transaction.php page handler, where user-supplied input from the 'cid' parameter is directly concatenated into SQL queries without proper parameterized statements or input validation. The application likely uses PHP with a database backend (MySQL/MariaDB or similar), and the lack of prepared statements or ORM protection allows an attacker to break out of the intended SQL context and inject arbitrary SQL commands.

Affected Products

- product: Campcodes Sales and Inventory System; version: 1.0; vendor: Campcodes; affected_component: /pages/cash_transaction.php; vulnerable_parameter: cid; cpe: cpe:2.3:a:campcodes:sales_and_inventory_system:1.0:*:*:*:*:*:*:*

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

EUVD-2025-18723 vulnerability details – vuln.today

Back

EUVD-2025-18723

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-18723

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code