Campcodes Online Hotel Reservation System CVE-2025-8381
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in Campcodes Online Hotel Reservation System 1.0. This issue affects some unknown processing of the file /add_reserve.php. The manipulation of the argument room_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Online Hotel Reservation System 1.0 via the room_id parameter in /add_reserve.php allows authenticated remote attackers to execute arbitrary SQL queries, but CVSS 2.1 and EPSS 0.07% (20th percentile) indicate minimal real-world risk despite public exploit availability. The vulnerability requires valid user authentication and produces only low confidentiality, integrity, and availability impact-inconsistent with the 'critical' classification in the initial report.
Technical ContextAI
The vulnerability exists in PHP-based hotel reservation software where user input (room_id parameter) is processed in /add_reserve.php without proper parameterization or input validation before being embedded into SQL queries. This instantiates CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component-'Injection'), a class covering SQL injection attacks. The affected product is Campcodes Online Hotel Reservation System version 1.0, identified by CPE cpe:2.3:a:campcodes:online_hotel_reservation_system:1.0. The attack vector is network-based but requires prior authentication (CVSS PR:L), limiting the threat surface to existing users or accounts.
RemediationAI
Contact Campcodes for patched version availability; no specific patch version is published in vendor advisories reviewed. As immediate mitigation, implement input validation and parameterized queries (prepared statements) in /add_reserve.php for the room_id parameter to neutralize SQL injection; code review of all database queries in the reservation module is strongly recommended. If vendor patch is unavailable, restrict access to /add_reserve.php via Web Application Firewall (WAF) rules that block SQL metacharacters in the room_id parameter, or limit reservation functionality to administrators only by enforcing stricter role-based access controls. Upgrade to a patched version once released; monitor https://www.campcodes.com/ for security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today