CVE-2025-13291 – CVE-2025-13291 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-13291?

CVE-2025-13291 has a CVSS score of 7.3 (HIGH). CVE-2025-13291 is a SQL injection vulnerability in Campcodes Supplier Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /manufacturer/confirm_order.php. This affects all users running the vulnerable version of this web application. Successful exploitation could lead to data theft, modification, or complete system compromise.

📋 TL;DR

CVE-2025-13291 is a SQL injection vulnerability in Campcodes Supplier Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /manufacturer/confirm_order.php. This affects all users running the vulnerable version of this web application. Successful exploitation could lead to data theft, modification, or complete system compromise.

💻 Affected Systems

Products:

Campcodes Supplier Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the manufacturer module specifically. Requires PHP environment with database connectivity.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive supplier data, manipulation of order information, and potential authentication bypass.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web application component.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability is in a parameter that appears to be accessible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in the affected PHP file.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the ID parameter

Input Validation Filter

all

Add input validation to only accept numeric values for the ID parameter

<?php
if (!is_numeric($_GET['ID'])) {
    die('Invalid input');
}
?>

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database queries from the application

🔍 How to Verify

Check if Vulnerable:

Test the /manufacturer/confirm_order.php endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1)

Check Version:

Check the application version in the admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages or are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from the web application
SQL syntax errors in application logs
Multiple failed parameter validation attempts

Network Indicators:

HTTP requests to /manufacturer/confirm_order.php with SQL keywords in parameters
Unusual database response sizes

SIEM Query:

source="web_logs" AND uri="/manufacturer/confirm_order.php" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|/*)")

📊 Metadata

CVE ID: CVE-2025-13291

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: November 17, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/Fex212/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332632 Permissions Required,VDB Entry
https://vuldb.com/?id.332632 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.691620 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13291, you might also want to check these: