Campcodes Courier Management System CVE-2025-8230
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical was found in Campcodes Courier Management System 1.0. This vulnerability affects unknown code of the file /manage_user.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /manage_user.php, with publicly available exploit code disclosed. Despite a critical classification, the CVSS 4.0 vector reflects low impact (confidentiality, integrity, availability all limited) and EPSS score of 0.06% suggests minimal real-world exploitation probability.
Technical ContextAI
The vulnerability resides in the /manage_user.php endpoint of a PHP-based courier management application (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The ID parameter lacks proper input validation or parameterized query preparation, allowing SQL injection payloads to be concatenated directly into database queries. This affects Campcodes Courier Management System 1.0 specifically (CPE: cpe:2.3:a:campcodes:courier_management_system:1.0:*:*:*:*:*:*:*), a web application built on PHP for managing courier logistics.
RemediationAI
Upgrade to a patched version if available from Campcodes; contact the vendor via https://www.campcodes.com/ to confirm the availability of security updates beyond version 1.0. If no patch is released, implement immediate compensating controls: (1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter of /manage_user.php requests, with the trade-off of potential false positives requiring tuning; (2) Restrict network access to /manage_user.php to trusted IP addresses or VPNs, limiting the remote attack vector; (3) Enforce the principle of least privilege on database user accounts used by the application - use a database role with SELECT-only permissions on the users table if the /manage_user.php endpoint requires only read operations, eliminating the ability to execute INSERT/UPDATE/DELETE even if SQL injection succeeds; (4) Enable database query logging and alerting to detect anomalous SQL patterns indicative of injection attempts. These controls do not eliminate the underlying vulnerability but substantially reduce practical exploitation risk until a vendor patch is deployed.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today