Campcodes Online Hotel Reservation System CVE-2025-8380
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in Campcodes Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /admin/add_query_account.php. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Cross-site scripting (XSS) in Campcodes Online Hotel Reservation System 1.0 allows authenticated users to inject malicious scripts via the Name parameter in /admin/add_query_account.php, affecting the integrity of admin-level functionality. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting direct remote exploitation to attackers with valid credentials; however, publicly available exploit code exists, and the CVSS 2.0 score with VI:L (integrity impact) reflects limited but confirmed damage potential in a stored XSS context.
Technical ContextAI
The vulnerability is a Stored Cross-Site Scripting (CWE-79) flaw in a PHP-based hotel reservation management interface. The /admin/add_query_account.php file fails to sanitize or validate the 'Name' input parameter before processing or storing it, allowing attackers to embed arbitrary JavaScript code that executes in the context of administrative sessions. This is a common weakness in legacy PHP applications that do not implement proper input validation, output encoding, or Content Security Policy headers. The affected system is a web-based reservation platform written in PHP, as indicated by the file path and the direct manipulation of admin interface parameters.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation requires: (1) Update to a patched version if available by contacting Campcodes support via https://www.campcodes.com/ or checking for security updates; (2) As an interim compensating control, restrict access to /admin/add_query_account.php using network-level access controls (firewall rules, IP whitelisting) to limit exposure to trusted administrators only; (3) Implement input validation and output encoding in the Name parameter handler - sanitize all user input using PHP htmlspecialchars() or equivalent HTML entity encoding before storage and retrieval; (4) Deploy a Web Application Firewall (WAF) with XSS detection rules to block script payloads in the Name parameter; (5) Disable admin functionality if the feature is not actively used. Each control has trade-offs: network restriction may hamper legitimate admin access from remote locations; WAF may generate false positives; sanitization requires code changes. Until a vendor patch is released, a combination of access restriction and output encoding is the most practical short-term defense.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today