Slam Dunking the Database: A Deep Dive into CVE-2025-12337
Vulnerability ID: CVE-2025-12337
CVSS Score: 9.8
Published: 2025-10-28
A critical SQL Injection vulnerability in Campcodes Retro Basketball Shoes Online Store allows remote, unauthenticated attackers to execute arbitrary SQL commands via the 'pid' parameter.
TL;DR
Campcodes Retro Basketball Shoes Online Store v1.0 contains a classic SQL Injection vulnerability in the '/admin/admin_feature.php' file. Despite residing in the admin directory, the script allegedly fails to enforce authentication, allowing anyone to inject SQL via the 'pid' parameter. This grants full database access, enabling attackers to dump credentials, modify product pricing, or potentially achieve RCE depending on database privileges.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89 (SQL Injection)
- CVSS v3.1: 9.8 (Critical)
- Attack Vector: Network (Remote)
- Privileges Required: None
- Exploit Status: PoC Available
- Vulnerable Param: pid (POST)
Affected Systems
- Campcodes Retro Basketball Shoes Online Store v1.0
-
Retro Basketball Shoes Online Store: = 1.0 (Fixed in:
N/A)
Exploit Details
- GitHub: Original disclosure and PoC demonstrating Boolean and Time-based injection.
- PacketStorm: Mirror of the exploit payloads.
Mitigation Strategies
- Implement Prepared Statements (PDO/MySQLi)
- Enforce strict input validation (Integer casting)
- Restrict access to /admin/ directory via IP allowlisting
- Deploy WAF (ModSecurity/Cloudflare) to block SQLi patterns
Remediation Steps:
- Locate /admin/admin_feature.php on the server.
- Identify the vulnerable SQL query handling $_POST['pid'].
- Rewrite the query to use parameterized inputs.
- Verify that authentication checks are actually enforced at the top of the file.
References
Read the full report for CVE-2025-12337 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)