Skip to main content

PHP CVE-2025-7536

| EUVD-2025-21263 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-07-13 cna@vuldb.com
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21263
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
PoC Detected
Jul 16, 2025 - 14:54 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 18:15 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pages/receipt_credit.php. The manipulation of the argument sid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7536 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0 affecting the /pages/receipt_credit.php endpoint via the 'sid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, indicating active exploitation risk.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output ['Injection']) stemming from insufficient input validation and parameterization in the receipt_credit.php script. The 'sid' parameter is directly concatenated into SQL queries without proper escaping or prepared statements. Campcodes Sales and Inventory System is a web-based inventory management application, likely built on PHP/MySQL architecture. CPE identification would be 'cpe:2.3:a:campcodes:sales_and_inventory_system:1.0:*:*:*:*:*:*:*'. The root cause reflects legacy coding practices where user input is trusted without sanitization, a well-understood and preventable class of vulnerabilities.

RemediationAI

{'type': 'Patch', 'description': 'Upgrade to patched version (patch version not specified in disclosure; contact Campcodes for availability). Check vendor advisories at Campcodes official channels.', 'priority': 'Immediate'} {'type': 'Workaround - Input Validation', 'description': "Implement strict input validation on the 'sid' parameter: whitelist numeric values only (if sid is expected to be an integer), reject special SQL characters, and enforce length limits.", 'priority': 'Urgent'} {'type': 'Workaround - Parameterized Queries', 'description': 'Refactor receipt_credit.php to use prepared statements with parameterized queries instead of string concatenation. Example: Use mysqli prepared statements or PDO with bound parameters.', 'priority': 'Urgent'} {'type': 'Mitigation - Network Controls', 'description': 'Restrict network access to receipt_credit.php endpoint via firewall/WAF rules. Implement rate limiting and anomaly detection. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns.', 'priority': 'High'} {'type': 'Mitigation - Database Hardening', 'description': 'Apply principle of least privilege to database user accounts serving the application. Limit database user permissions to only necessary tables/operations. Disable error messages that reveal database structure.', 'priority': 'High'} {'type': 'Monitoring', 'description': 'Enable query logging and monitor for suspicious SQL patterns. Implement intrusion detection to flag SQL keywords in request parameters.', 'priority': 'Medium'}

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-7536 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy