Campcodes Advanced Online Voting System CVE-2025-11409
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Campcodes Advanced Online Voting Management System 1.0. The impacted element is an unknown function of the file /index.php. Performing manipulation of the argument voter results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
AnalysisAI
SQL injection in Campcodes Advanced Online Voting Management System 1.0 allows authenticated remote attackers to manipulate the voter parameter in /index.php, potentially leading to unauthorized data access or modification. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists and exploitation probability is rated at 8th percentile by EPSS, suggesting this remains a lower-priority issue despite public POC availability.
Technical ContextAI
The vulnerability stems from improper input validation in a PHP application handling voter-related parameters. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection') indicates that the application fails to sanitize or parameterize SQL queries constructed from user-supplied voter input. The /index.php endpoint accepts the voter parameter without sufficient SQL injection protections, allowing an authenticated user to inject arbitrary SQL commands. This is a classic SQL injection attack vector where attackers can craft malicious SQL syntax within the voter field to bypass query logic, extract data, or modify database contents.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate remediation requires either upgrading to a patched version (if available from Campcodes) or applying manual input validation controls. Implement parameterized queries or prepared statements for all database interactions in /index.php, specifically sanitizing the voter parameter using whitelist validation (e.g., accepting only numeric voter IDs or approved formats). As a compensating control, restrict access to /index.php via IP allowlist or Web Application Firewall (WAF) rules to authenticated internal networks only, or implement rate-limiting on voter parameter submissions to reduce automated exploitation. Contact Campcodes directly at www.campcodes.com for patch availability and security guidance. If the application is exposed to untrusted networks, consider disabling voter functionality temporarily until a fix is confirmed.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today