Campcodes Courier Management System CVE-2025-8254
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 via the ID parameter in /view_parcel.php allows authenticated remote attackers to execute arbitrary SQL queries with limited data exposure impact. The CVSS score of 2.1 reflects constraints imposed by authentication requirements (PR:L) and restricted scope, but publicly available exploit code exists; however, the 0.06% EPSS score indicates minimal real-world exploitation likelihood despite public disclosure.
Technical ContextAI
The vulnerability exists in the PHP application's handling of the ID parameter in the /view_parcel.php file. This is a classic second-order SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output Command) where user-supplied input is not properly sanitized before being incorporated into SQL queries. The affected product is built on PHP and manages parcel data, making the database queries handling user input a critical control point. The CPE indicates only version 1.0 of the Campcodes Courier Management System is documented as affected.
RemediationAI
Upgrade Campcodes Courier Management System to a patched version released by the vendor; consult https://www.campcodes.com/ for available updates beyond version 1.0. If an upgrade is not immediately available or feasible, implement the following compensating controls with trade-offs noted: (1) Restrict access to /view_parcel.php to authorized users only via IP whitelisting or Web Application Firewall rules - effective but reduces usability for remote staff; (2) Deploy a WAF rule to detect and block SQL injection patterns in the ID parameter (e.g., detect single quotes, SQL keywords like UNION, OR, comment sequences) - this mitigates risk but may generate false positives if legitimate parcel IDs contain special characters; (3) Apply input validation at the application level to enforce ID parameter format (e.g., numeric-only if IDs are numeric) - low side effects if implemented correctly, high effectiveness. Ensure all database user accounts associated with the Courier Management System operate with least-privilege permissions (SELECT only on parcel tables, no UPDATE/DELETE) to limit damage if SQL injection succeeds.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today