Campcodes Courier Management System CVE-2025-8187
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Campcodes Courier Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_parcel.php, potentially leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, though CVSS 2.1 and EPSS 0.06% indicate limited real-world impact due to authentication requirement and low technical scope (no confidentiality or integrity impact to the system itself).
Technical ContextAI
The vulnerability exists in the /edit_parcel.php endpoint where user-supplied input from the ID parameter is directly concatenated into SQL queries without proper sanitization or parameterized statements. This classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) allows attackers with valid credentials to inject arbitrary SQL syntax. The affected product is Campcodes Courier Management System version 1.0, a web-based PHP application. The attack vector is network-accessible over HTTP/HTTPS, requiring only that the attacker has valid login credentials.
RemediationAI
Update Campcodes Courier Management System to a patched version released by Campcodes (consult vendor advisory at https://www.campcodes.com/ for availability and specific version numbers). If a patched version is not yet available, implement input validation and parameterized SQL queries in /edit_parcel.php to neutralize the ID parameter before use in database queries. As an interim compensating control, restrict network access to /edit_parcel.php to trusted IP ranges and enforce strong authentication (multi-factor authentication if supported) to limit the pool of potential attackers. Additionally, implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the ID parameter. Monitor database logs for suspicious queries containing SQL keywords originating from this endpoint.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today