Login Sign Up

CVE-2025-13259

6.3 MEDIUM
SQL Injection

📋 TL;DR

CVE-2025-13259 is a SQL injection vulnerability in Campcodes Supplier Management System 1.0 that allows attackers to execute arbitrary SQL commands via the ID parameter in /manufacturer/edit_unit.php. This affects all users running the vulnerable version of this web application. Remote attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • Campcodes Supplier Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web application regardless of underlying OS. Requires the vulnerable PHP file to be accessible.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow file system access.

🟠

Likely Case

Unauthorized data access and modification of supplier/manufacturer records, potentially leading to business disruption or data integrity issues.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection vulnerabilities are commonly weaponized due to their prevalence and impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If patch available, download and apply. 3. Test functionality after patching.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement proper input validation and parameterized queries for the ID parameter

Modify /manufacturer/edit_unit.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts targeting the vulnerable endpoint

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules
  • Implement database user with minimal necessary permissions

🔍 How to Verify

Check if Vulnerable:

Test the /manufacturer/edit_unit.php endpoint with SQL injection payloads in the ID parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return expected error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts or parameter manipulation

Network Indicators:

  • HTTP requests to /manufacturer/edit_unit.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/manufacturer/edit_unit.php" AND (param="ID" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2025-13259
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (11th percentile)
Published: November 17, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13259, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)