Campcodes Online Beauty Parlor Management System CVE-2025-11664
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Campcodes Online Beauty Parlor Management System 1.0. The impacted element is an unknown function of the file /admin/search-appointment.php. Such manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
SQL injection in Campcodes Online Beauty Parlor Management System 1.0 allows high-privileged attackers to manipulate the searchdata parameter in /admin/search-appointment.php, enabling arbitrary database queries with limited confidentiality and integrity impact. The vulnerability requires administrative privileges to exploit and has a publicly disclosed proof-of-concept, though real-world exploitation risk is minimal given the EPSS score of 0.01% and the requirement for high-privilege access.
Technical ContextAI
The vulnerability is a SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output Command, PHP injection) in a PHP-based web application. The /admin/search-appointment.php script fails to properly sanitize the searchdata parameter before incorporating it into SQL queries, allowing an attacker with administrative credentials to inject arbitrary SQL syntax. This is a classic parameterized query bypass or input validation failure common in legacy PHP applications that predate modern ORM frameworks and prepared statement usage. The CPE string cpe:2.3:a:campcodes:online_beauty_parlor_management_system:1.0 confirms the affected product is version 1.0 of the Campcodes system.
RemediationAI
Upgrade to a patched version of Campcodes Online Beauty Parlor Management System if available from the vendor at https://www.campcodes.com/. If an update is not available, implement immediate input validation and parameterized queries: modify /admin/search-appointment.php to use prepared statements with bound parameters for the searchdata input, filtering special SQL characters (single quotes, semicolons, comment delimiters) from user input before query construction, and enforcing strict type checking on the searchdata parameter. Additionally, restrict access to /admin/ directory to a whitelist of trusted IP addresses and implement rate limiting on search endpoints to reduce automated exploitation attempts. Monitor database query logs for suspicious SQL patterns or failed queries originating from the admin interface. Web Application Firewall (WAF) rules targeting SQL injection patterns can provide defense-in-depth, though WAF alone is insufficient without code fixes.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today