Campcodes Online Hotel Reservation System CVE-2025-8379
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in Campcodes Online Hotel Reservation System 1.0. This affects an unknown part of the file /admin/edit_room.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Unrestricted file upload in Campcodes Online Hotel Reservation System 1.0 allows high-privileged authenticated administrators to upload arbitrary files via the photo parameter in /admin/edit_room.php, potentially leading to remote code execution. The vulnerability requires administrative credentials to exploit and has publicly available proof-of-concept code, but carries low real-world risk due to the high privilege requirement (PR:H) and limited confidentiality/integrity impact in the CVSS v4.0 vector.
Technical ContextAI
The vulnerability exists in the administrative file upload handler at /admin/edit_room.php, where the photo parameter fails to properly validate or restrict uploaded file types. This is a classic unrestricted file upload flaw (CWE-284: Improper Access Control) that occurs in the context of a PHP-based hotel reservation system. The file upload mechanism does not implement proper validation such as file type checking, MIME type verification, or extension whitelisting. An attacker with administrative access could potentially upload PHP files or other executable content to achieve remote code execution, though the CVSS v4.0 vector's VC:L/VI:L/VA:L ratings suggest the vendor's assessment limits the scope of direct impact from this single vulnerability.
RemediationAI
Upgrade to a patched version of Campcodes Online Hotel Reservation System if available from the vendor at https://www.campcodes.com/. If an upgrade is unavailable, implement strict server-side file upload validation: whitelist allowed file extensions (e.g., .jpg, .png, .gif only), validate MIME types, store uploaded files outside the web root or in a non-executable directory, and rename uploaded files with random identifiers to prevent direct execution. Additionally, restrict the /admin/edit_room.php endpoint to specific IP addresses or require multi-factor authentication for admin login to reduce the attack surface. Configure the web server (Apache/Nginx) to prevent execution of scripts in the upload directory using .htaccess or web.config directives.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today