Campcodes Advanced Online Voting System CVE-2025-11410
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Campcodes Advanced Online Voting Management System 1.0. This affects an unknown function of the file /admin/voters_add.php. Executing manipulation of the argument firstname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. Other parameters might be affected as well.
AnalysisAI
SQL injection in Campcodes Advanced Online Voting System 1.0 allows authenticated remote attackers to manipulate the firstname parameter in /admin/voters_add.php, leading to limited confidentiality and integrity impact. The vulnerability requires valid user credentials (PR:L) and has a publicly available exploit, but EPSS scoring (0.03%, percentile 8%) suggests low real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability exists in a PHP-based web application file (/admin/voters_add.php) that processes user input for voter management functions. The root cause is improper input validation and parameterization in SQL query construction (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The firstname parameter is directly concatenated or insufficiently sanitized before inclusion in SQL queries, allowing attackers to inject arbitrary SQL syntax. Other parameters may exhibit identical weaknesses due to similar coding patterns in the administrative interface.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires input validation and parameterized query implementation: review /admin/voters_add.php and all database query functions to replace string concatenation with prepared statements or parameterized queries using PHP mysqli or PDO prepared statements. Implement strict whitelist validation on the firstname parameter (alphanumeric and common name characters only) before any database operation. If immediate source code remediation is unavailable, apply compensating controls: restrict /admin/ directory access to trusted IP ranges via web server configuration (Apache .htaccess or nginx location blocks) to limit authentication attempts, enforce strong admin credentials (minimum 16 characters, complexity requirements), and enable comprehensive SQL error suppression to prevent information disclosure. Engage the vendor (https://www.campcodes.com/) for official patched release. Monitor database logs for suspicious SQL syntax in firstname field submissions.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today