Campcodes Courier Management System CVE-2025-8189
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical was found in Campcodes Courier Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_user.php, affecting data confidentiality and integrity. The vulnerability has publicly available exploit code but carries a very low EPSS score (0.06%, percentile 19%), suggesting minimal real-world exploitation risk despite the critical classification and public disclosure.
Technical ContextAI
The vulnerability exists in the /edit_user.php file of a PHP-based courier management application. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates insufficient input validation or parameterized query usage when processing the ID parameter. The ID argument is directly concatenated into SQL queries without proper escaping or prepared statement mechanisms, allowing attackers to inject malicious SQL syntax. This is a classic SQL injection vulnerability in a web application handling courier/logistics data.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations running Campcodes Courier Management System 1.0 should immediately contact Campcodes (https://www.campcodes.com/) to request a security update or upgrade timeline. Until a patched version is available, implement compensating controls: restrict access to /edit_user.php to a whitelist of trusted administrator IP addresses via web server configuration (nginx/Apache); deploy a Web Application Firewall (WAF) with SQL injection detection rules to block requests containing SQL keywords in the ID parameter; implement database user privilege separation so the application's database account has minimal permissions (no DROP, ALTER, or access to sensitive tables beyond courier records); enable detailed SQL query logging and monitor for anomalous patterns. These controls reduce exploitability but do not eliminate the vulnerability itself - patching remains the required long-term fix.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today