Campcodes Online Hotel Reservation System CVE-2025-8382
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, was found in Campcodes Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/edit_room.php. The manipulation of the argument room_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Online Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the room_id parameter in /admin/edit_room.php, enabling data exfiltration and modification with low impact. The vulnerability requires valid login credentials (PR:L) and carries a CVSS 2.1 score reflecting limited scope; however, the public exploit disclosure and EPSS percentile 20 suggest limited real-world exploitation interest despite active availability of proof-of-concept code.
Technical ContextAI
Campcodes Online Hotel Reservation System is a PHP-based hotel management application. The vulnerability resides in the /admin/edit_room.php endpoint, which fails to properly sanitize the room_id parameter before incorporating it into SQL queries, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The SQL injection occurs in an admin-facing function, requiring prior authentication. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning the injection payload requires no special conditions beyond valid admin credentials.
RemediationAI
Update Campcodes Online Hotel Reservation System to a patched version released by the vendor; consult https://www.campcodes.com/ for availability and upgrade instructions, as no specific patch version was identified from vendor advisory data. If an immediate patched version is unavailable, implement these compensating controls: (1) restrict direct access to /admin/edit_room.php via web application firewall (WAF) rules, blocking requests containing SQL metacharacters (semicolon, single quote, double dash) in the room_id parameter-note this may block legitimate room IDs if they contain such characters; (2) enforce strong, unique admin credentials and implement account lockout after failed login attempts to reduce the risk of credential compromise; (3) apply input validation at the application level to ensure room_id contains only expected numeric or alphanumeric values before query execution; (4) enable SQL query logging and monitor for suspicious room_id patterns (e.g., UNION, SELECT). Contact the vendor at cna@vuldb.com or https://www.campcodes.com/ for official patch status and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today