CVE-2025-7454

| EUVD-2025-21185 HIGH
2025-07-11 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:18 euvd
EUVD-2025-21185
PoC Detected
Jul 16, 2025 - 14:59 vuln.today
Public exploit code
CVE Published
Jul 11, 2025 - 19:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Movie Theater Seat Reservation System

Description

A vulnerability classified as critical has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. Affected is an unknown function of the file /admin/manage_theater.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7454 is a critical SQL injection vulnerability in Campcodes Online Movie Theater Seat Reservation System version 1.0, specifically in the /admin/manage_theater.php file where the ID parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the theater reservation database. The exploit has been publicly disclosed and is actively exploitable with no authentication required.

Technical Context

The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), manifesting specifically as SQL injection. The affected component is the /admin/manage_theater.php administrative interface in Campcodes Online Movie Theater Seat Reservation System 1.0. The application fails to properly sanitize or parameterize the 'ID' parameter before incorporating it into SQL queries, allowing attackers to inject malicious SQL syntax. This is a classic second-order input validation flaw where user-supplied input is directly concatenated into database query construction without using prepared statements or parameterized queries. CPE for affected product: cpe:2.3:a:campcodes:online_movie_theater_seat_reservation_system:1.0:*:*:*:*:*:*:*

Affected Products

- vendor: Campcodes; product: Online Movie Theater Seat Reservation System; version: 1.0; cpe: cpe:2.3:a:campcodes:online_movie_theater_seat_reservation_system:1.0:*:*:*:*:*:*:*; affected_component: /admin/manage_theater.php; affected_parameter: ID; vulnerability_type: SQL Injection (CWE-74)

Remediation

Upgrade to a patched version if available from vendor Vendor Contact: Contact Campcodes immediately for official patch status and timeline

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-7454 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy