EUVD-2025-21266Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/product_update.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7538 is a critical unrestricted file upload vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/product_update.php file's image parameter handling. An unauthenticated remote attacker can upload arbitrary files without restriction, potentially leading to remote code execution, data compromise, and system availability impact. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant concern.
Technical ContextAI
The vulnerability exists in a PHP-based web application (Campcodes Sales and Inventory System) that implements product management functionality. The /pages/product_update.php endpoint accepts file uploads via the 'image' parameter without proper validation, filtering, or access controls. This falls under CWE-284 (Improper Access Control) combined with CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is insufficient input validation and file type verification on the server-side, allowing attackers to bypass intended security controls. PHP applications commonly suffer from this class of vulnerability when uploaded files are not sanitized for MIME type, extension, or content before being stored in web-accessible directories.
RemediationAI
Immediate actions: (1) Disable or restrict access to /pages/product_update.php pending patch availability; (2) Implement strict file upload validation on the server-side: verify MIME type (Content-Type header), validate file extensions against a whitelist (e.g., .jpg, .png only), and check file content magic bytes; (3) Store uploaded files outside the web root directory to prevent direct execution; (4) Implement proper access controls requiring authentication and authorization checks before allowing uploads. Patch remediation: Contact Campcodes directly for security patches addressing CVE-2025-7538, as no official patch version is referenced in current intelligence. Temporary mitigation: Apply Web Application Firewall (WAF) rules to block requests to /pages/product_update.php or enforce strict Content-Type validation on the image parameter. Implement file upload rate limiting and monitor for suspicious upload patterns.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today