EUVD-2025-17022CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/ajax.php?action=login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, affecting the authentication endpoint at /admin/ajax.php?action=login. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data exfiltration, or database manipulation. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.
Technical Context
This vulnerability represents a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) in the administrative AJAX login handler. The affected endpoint fails to properly sanitize or parameterize user input in the Username parameter before incorporation into SQL queries. The vulnerability exists in a PHP-based web application (Campcodes Online Recruitment Management System) at the authentication layer, where the lack of input validation or prepared statements allows attackers to inject arbitrary SQL syntax. CWE-74, while broadly categorized as an output encoding issue, encompasses injection attacks where special characters bypass downstream SQL query construction. The root cause is insufficient input validation prior to SQL query execution in the authentication workflow.
Affected Products
Campcodes Online Recruitment Management System version 1.0 is explicitly affected. The vulnerable endpoint is /admin/ajax.php?action=login. No patched version has been identified in available intelligence. CPE designation would be: cpe:2.3:a:campcodes:online_recruitment_management_system:1.0:*:*:*:*:*:*:*. The vulnerability affects all deployments of version 1.0 regardless of hosting environment or configuration, as the flaw is inherent to the application code. Organizations operating this system in production environments are at immediate risk.
Remediation
Immediate remediation steps: (1) Apply input validation and parameterized queries (prepared statements) to all user inputs in /admin/ajax.php, specifically the Username parameter—use parameterized SQL queries with bound variables rather than string concatenation; (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the login endpoint; (3) Upgrade to a patched version when released by Campcodes—monitor official vendor channels for security updates; (4) As interim mitigation, disable direct access to /admin/ajax.php?action=login if an alternative authentication method is available, or restrict IP access to administrative endpoints; (5) Conduct immediate database activity auditing for signs of prior exploitation. No official patch version has been publicly released as of this analysis—contact Campcodes directly for patch availability and timeline.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today