Campcodes Online Movie Theater CVE-2025-7840
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Campcodes Online Movie Theater Seat Reservation System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=reserve of the component Reserve Your Seat Page. The manipulation of the argument Firstname/Lastname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Cross-site scripting (XSS) in Campcodes Online Movie Theater Seat Reservation System 1.0 allows authenticated remote attackers to inject malicious scripts via the Firstname or Lastname parameters on the reserve page, requiring user interaction to trigger. The vulnerability has a low CVSS score of 2.0 due to authentication and user interaction requirements, but publicly available exploit code exists and the vulnerability is classified as problematic with potential for phishing or session hijacking attacks.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw (CWE-79) in the PHP-based reserve seat page component (/index.php?page=reserve). The Firstname and Lastname input parameters are not properly sanitized or encoded before being rendered in the HTML response, allowing attackers to inject arbitrary JavaScript. CVSS vector shows AV:N (network-accessible), AC:L (low attack complexity), PR:L (requires login), UI:P (requires user interaction to trigger the XSS), and VI:L (low integrity impact). The CPE identifies the affected product as Campcodes Online Movie Theater Seat Reservation System version 1.0 running on PHP infrastructure.
RemediationAI
No vendor-released patch identified at time of analysis. The primary remediation is to upgrade to a patched version of Campcodes Online Movie Theater Seat Reservation System if available from the vendor (www.campcodes.com). Until an official patch is released, apply input validation and output encoding: implement strict input validation on the Firstname and Lastname parameters to reject or sanitize special characters and HTML/JavaScript metacharacters, use output encoding (HTML entity encoding) when displaying user input in the reserve page template to prevent script execution, and implement a Content Security Policy (CSP) header to restrict inline script execution and limit script sources. Additionally, consider disabling the reserve feature entirely or restricting access to the reserve page to trusted internal networks only if the application does not require public access. Contact the vendor at www.campcodes.com to request a security patch and confirmation of affected versions.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today