Campcodes Courier Management System CVE-2025-8186
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /edit_branch.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_branch.php, potentially compromising database confidentiality and integrity. The vulnerability requires valid user credentials (PR:L) but is easily exploitable with low technical complexity. Exploit code has been publicly disclosed, though real-world exploitation likelihood remains low per EPSS score (0.06%).
Technical ContextAI
The vulnerability exists in PHP application code handling the /edit_branch.php endpoint, where user-supplied input to the ID parameter is passed unsafely into SQL queries without proper parameterization or input validation (CWE-74: Improper Neutralization of Special Elements in Output). The affected product is a web-based courier management system built on PHP, likely using a relational database backend. The lack of prepared statements or parameterized queries allows authenticated users to inject arbitrary SQL syntax through the ID field, potentially enabling unauthorized data access, modification, or deletion.
RemediationAI
Vendor patch status is not documented in the provided references. Immediate mitigation requires upgrading to a patched version if available from Campcodes (verify at https://www.campcodes.com/ or contact vendor support). If no patch exists, implement compensating controls immediately: (1) Restrict network access to /edit_branch.php via web application firewall (WAF) rules-block requests containing SQL keywords (UNION, SELECT, OR, etc.) in the ID parameter; (2) Apply strict input validation in the application-whitelist ID to numeric values only (regex: ^[0-9]+$) and reject non-matching requests; (3) Use parameterized SQL queries (prepared statements) in the PHP code to replace all direct string concatenation with bound parameters, eliminating SQL injection vector entirely; (4) Run database user account with minimal privileges (read-only or limited to specific tables where possible) to reduce damage from successful injection; (5) Enable detailed SQL query logging and monitor for suspicious patterns (UNION, comment sequences, multiple semicolons). These controls trade ease-of-use for security but are necessary until patched.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today