Which versions of PHP are affected by CVE-2025-6311?

A SQL injection vulnerability exists in Campcodes Sales and Inventory System 1.0 that allows remote attackers to manipulate database queries through the account_add.php file.

Is there a public PoC exploit available for CVE-2025-6311?

Yes, a public proof-of-concept exploit is available for CVE-2025-6311. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6311?

Within 24 hours: Identify all instances of Campcodes Sales and Inventory System 1.0 in your environment and assess criticality; implement WAF rules to block SQL injection patterns targeting /pages/account_add.php; restrict network access to this application to trusted IPs only. Within 7 days: Disable the account_add.php functionality if operationally feasible, or implement input validation and parameterized queries at the application layer; conduct database access log review for signs of exploitation. Within 30 days: Evaluate migration to an alternative, actively maintained inventory system; contact Campcodes for patch timeline; perform full security assessment of all affected systems.

PHP CVE-2025-6311

Q: What is the CVSS score of CVE-2025-6311?

CVE-2025-6311 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18725 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-20 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18725

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jul 11, 2025 - 15:50 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 06:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/account_add.php. The manipulation of the argument id/amount leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

Technical ContextAI

The vulnerability stems from improper input validation in the account_add.php script, classified under CWE-74 (Improper Neutralization of Special Elements in Output), which encompasses SQL injection flaws. The root cause is insufficient parameterization or sanitization of user-supplied input (id/amount parameters) before incorporation into SQL queries. The affected product is Campcodes Sales and Inventory System v1.0, a web-based inventory management application. The vulnerability allows attackers to bypass query intent through SQL metacharacter injection, enabling direct database manipulation through HTTP requests to an unauthenticated endpoint.

RemediationAI

priority: CRITICAL; action: Upgrade Campcodes Sales and Inventory System to a patched version (version >1.0 if available, or evaluate alternative products if no patch released); details: Contact Campcodes vendor for security update availability. If patch unavailable, implement Web Application Firewall (WAF) rules to block SQL injection patterns in id/amount parameters.
priority: HIGH; action: Implement prepared statements/parameterized queries; details: Modify /pages/account_add.php to use prepared statements with bound parameters instead of string concatenation for all SQL queries.
priority: HIGH; action: Input validation and sanitization; details: Implement strict whitelist validation for 'id' parameter (numeric validation) and 'amount' parameter (decimal/numeric validation). Reject any input containing SQL metacharacters (', ", ;, --, /*, etc.).
priority: MEDIUM; action: Authentication enforcement; details: Require authentication before accessing /pages/account_add.php endpoint; implement role-based access control to restrict account modifications.
priority: MEDIUM; action: Deploy Web Application Firewall (WAF); details: Configure WAF with SQL injection detection rules (ModSecurity, AWS WAF, Cloudflare) to block malicious payloads targeting the vulnerable endpoint.
priority: LOW; action: Database permissions hardening; details: Apply principle of least privilege to database user accounts; restrict write/delete operations to minimum necessary permissions to limit damage from successful SQL injection.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-6311 vulnerability details – vuln.today

Back

PHP CVE-2025-6311

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code