Campcodes Courier Management System CVE-2025-8229

Q: What is the CVSS score of CVE-2025-8229?

CVE-2025-8229 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-27 cna@vuldb.com

PHP SQLi Courier Management System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:50 vuln.today

DescriptionCVE.org

A vulnerability classified as critical has been found in Campcodes Courier Management System 1.0. This affects an unknown part of the file /parcel_list.php. The manipulation of the argument s leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the parameter 's' in /parcel_list.php, with publicly available exploit code disclosed. Despite a critical classification in the original report, the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact constrained by the requirement for prior authentication (PR:L) and absence of scope escalation; EPSS scoring of 0.06% indicates low real-world exploitation probability despite public POC availability.

Technical ContextAI

The vulnerability exists in a PHP-based web application file (/parcel_list.php) where user-supplied input via the 's' parameter is processed without proper input validation or parameterized query mechanisms, allowing direct SQL command injection. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection') identifies the root cause as insufficient sanitization of untrusted input before inclusion in SQL queries. The affected product is Campcodes Courier Management System version 1.0, a PHP application likely running on a web server with a backend SQL database (MySQL, PostgreSQL, or similar). The attack vector is network-based (AV:N/AC:L), meaning remote exploitation is possible over the network without local access, though authentication is required.

RemediationAI

Apply a vendor-released patch or upgrade to a patched version of Campcodes Courier Management System if available from https://www.campcodes.com/. If no vendor patch is available, implement the following compensating controls: (1) Apply input validation to the 's' parameter in /parcel_list.php, enforcing strict whitelist rules for expected values and rejecting any input containing SQL metacharacters; (2) Replace all dynamic SQL query construction with parameterized prepared statements (prepared queries with placeholders), which completely eliminate SQL injection attacks by separating code from data; (3) Restrict database user privileges assigned to the application connection to the minimum necessary permissions, preventing attackers from dropping tables or accessing sensitive system catalogs even if SQLi is exploited; (4) Implement Web Application Firewall (WAF) rules to detect and block SQLi patterns in the 's' parameter; (5) Require strong authentication and rate-limiting on the /parcel_list.php endpoint to reduce the pool of potential attackers. Parameterized queries are the primary defense and should be prioritized; WAF and privilege restrictions provide defense-in-depth but do not eliminate the underlying vulnerability.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-8229 vulnerability details – vuln.today

Back

Campcodes Courier Management System CVE-2025-8229

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code