Campcodes Advanced Voting Management System CVE-2025-14889
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Improper authorization in Campcodes Advanced Voting Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/voters_edit.php, resulting in unauthorized modification of voter passwords. The vulnerability affects the Password Handler component and requires valid user credentials to exploit, limiting real-world risk despite public exploit availability. EPSS exploitation probability is low at 0.06 percentile, suggesting this flaw targets specific administrative scenarios rather than representing widespread attack potential.
Technical ContextAI
The vulnerability exists in a PHP-based administrative interface component responsible for password management within a voting system. The root cause is classified under CWE-266 (Incorrect Privilege Assignment), indicating the application fails to properly validate authorization checks on the ID parameter passed to the password handler function in /admin/voters_edit.php. An authenticated administrator can bypass intended access controls by directly manipulating the ID argument, circumventing role-based or object-level authorization checks that should restrict password modifications to authorized targets only. The flaw is not a cryptographic weakness but rather a logical authorization failure in the business logic layer of the web application.
RemediationAI
No vendor-released patch has been identified at time of analysis. Organizations deploying Campcodes Advanced Voting Management System 1.0 should immediately contact the vendor at https://www.campcodes.com/ to request a security update or patch version addressing the authorization bypass in /admin/voters_edit.php. As interim compensating controls, restrict administrative dashboard access (the /admin/ directory) to a minimal set of trusted IP addresses using network-level filtering or web application firewall rules, enforce multi-factor authentication for all administrative accounts to reduce the risk of compromised credentials, implement audit logging on the voters_edit.php endpoint to detect unauthorized password modification attempts, and consider applying input validation or object-level authorization checks at the application layer if vendor support is unavailable. These mitigations do not eliminate the vulnerability but significantly raise the bar for exploitation by reducing the number of authenticated users with access to the vulnerable function.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today