CVE-2025-14529

|
CVE-2025-14529 SQL Injection vulnerability security high severity Campcodes Retro Basketball Shoes Online Store admin_running.php pid SQLi CVE database

Summary

CVE-2025-14529 is a HIGH severity SQL Injection vulnerability found in Campcodes Retro Basketball Shoes Online Store version 1.0. The vulnerability exists in the /admin/admin_running.php file, specifically through manipulation of the pid parameter, allowing a remote attacker to execute arbitrary SQL commands.

Technical Details

CVE-2025-14529 is a SQL Injection vulnerability. SQL Injection occurs when an application incorporates user-supplied input into SQL queries without proper sanitization or validation. In this case, the /admin/admin_running.php script in Campcodes Retro Basketball Shoes Online Store 1.0 uses the pid parameter directly in an SQL query without adequate sanitization. An attacker can inject malicious SQL code into the pid parameter, allowing them to manipulate the database. This can lead to unauthorized data access, modification, or deletion. The vulnerability is remotely exploitable, meaning an attacker does not need local access to the server to exploit it. The published exploit code makes exploitation relatively straightforward.

Affected Products and Versions

  • Campcodes Retro Basketball Shoes Online Store 1.0

Impact Assessment

Successful exploitation of CVE-2025-14529 can have significant consequences for the affected system and its users.

  • Data Breach Risk: An attacker can potentially access sensitive customer data, including personal information, addresses, and payment details.
  • System Compromise: The attacker could modify or delete data, potentially disrupting the online store's operations. In severe cases, the attacker might gain complete control over the database server.
  • Reputational Damage: A successful attack can severely damage the reputation of the online store, leading to a loss of customer trust and revenue.

Remediation

Immediate Actions

  • Apply Input Sanitization: Implement robust input validation and sanitization techniques to prevent malicious SQL code from being injected into the pid parameter. Use parameterized queries or prepared statements to ensure that user input is treated as data, not as executable code.
  • Restrict Database Privileges: Limit the database user's privileges to the minimum necessary for the application to function correctly. This can help to mitigate the impact of a successful SQL Injection attack.
  • Monitor System Logs: Monitor system logs for suspicious activity, such as unusual database queries or error messages.

Long-term Solutions

  • Upgrade to a Secure Version: If a patched version of Campcodes Retro Basketball Shoes Online Store is available, upgrade to the latest version as soon as possible.
  • Implement a Web Application Firewall (WAF): A WAF can help to detect and block SQL Injection attacks before they reach the application.
  • Conduct Regular Security Audits: Perform regular security audits and penetration testing to identify and address potential vulnerabilities.

References

Detection & Scanning

This SQL Injection vulnerability can be detected by analyzing web server logs for suspicious SQL queries targeting the /admin/admin_running.php endpoint with manipulated pid parameters. Security scanners and web application firewalls (WAFs) can also be configured to detect and block such attacks.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan