Campcodes Courier Management System CVE-2025-8188
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in Campcodes Courier Management System 1.0. This affects an unknown part of the file /edit_staff.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /edit_staff.php, affecting database confidentiality and integrity with low severity impact. Publicly available exploit code exists, though CVSS 2.1 and EPSS 0.06% indicate limited real-world exploitation probability despite the vulnerability's technical criticality classification.
Technical ContextAI
The vulnerability exists in a PHP-based staff management interface (/edit_staff.php) within the Campcodes Courier Management System. The ID parameter is passed unsafely to an SQL query without proper parameterized statements or input validation, allowing an attacker to inject arbitrary SQL syntax. This falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), a precursor to SQL injection. The attack requires network access and authenticated credentials (PR:L per CVSS vector), limiting attack surface to users with valid accounts. The affected product is identified by CPE cpe:2.3:a:campcodes:courier_management_system:1.0:*:*:*:*:*:*:*, indicating all installations of version 1.0 are vulnerable.
RemediationAI
Update Campcodes Courier Management System to a patched version released after version 1.0. No specific patched version is confirmed in available data - contact Campcodes directly at https://www.campcodes.com/ for current release status. As an immediate compensating control, restrict database user privileges associated with the /edit_staff.php application account to SELECT and UPDATE operations only on the staff table, removing DELETE and DROP privileges to limit impact if exploitation occurs. Additionally, implement a Web Application Firewall (WAF) rule blocking SQL metacharacters (single quotes, semicolons, union keywords) in the ID parameter, and enforce input validation by permitting only numeric values in the ID field since staff identifiers are typically numeric. Apply parameterized query frameworks (prepared statements with bound parameters) to all database interactions in /edit_staff.php if upgrading is delayed. These controls reduce exploitability risk while awaiting a vendor patch.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today