EUVD-2025-21102
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_vacancy. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-7436 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, affecting the /admin/ajax.php?action=delete_vacancy endpoint where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. A proof-of-concept exploit has been publicly disclosed, increasing real-world exploitation risk.
Technical Context
The vulnerability exists in a PHP-based web application (Campcodes Online Recruitment Management System) handling administrative functions via AJAX endpoints. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses improper input validation and parameterization in SQL query construction. The /admin/ajax.php file processes the 'action' parameter set to 'delete_vacancy' and directly incorporates user-supplied 'ID' values into SQL queries without adequate prepared statements or input sanitization. This classic second-order SQL injection pattern allows attackers to inject malicious SQL syntax through the ID parameter, bypassing intended query logic and executing attacker-controlled database operations.
Affected Products
Campcodes Online Recruitment Management System version 1.0 (all installations). No specific CPE data provided in source material, but the affected product can be referenced as: Product: Campcodes Online Recruitment Management System, Affected Version: 1.0, Vulnerable Component: /admin/ajax.php (delete_vacancy action), Parameter: ID. No vendor advisory links are provided in the available intelligence; security researchers should cross-reference with Campcodes' official security advisories, GitHub repository (if public), and Exploit-DB for patch availability and vendor response timeline.
Remediation
Immediate actions: (1) Apply parameterized queries/prepared statements to all database interactions in /admin/ajax.php—use parameterized DELETE statements with bound parameters for the ID field; (2) Implement strict input validation for the ID parameter (whitelist positive integers if IDs are numeric); (3) Add authentication/authorization checks to the admin AJAX endpoint to require valid admin session tokens; (4) Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter (e.g., signatures for single quotes, UNION keywords, comment sequences). Long-term: (1) Conduct a full code audit of all AJAX endpoints and database interaction points; (2) Implement object-relational mapping (ORM) frameworks that enforce parameterization; (3) Apply principle of least privilege to database users (admin panel user should not have DROP/ALTER permissions). Patch availability: Check Campcodes' official website, GitHub repository, or contact vendor directly for patched version; if no patch is available within 30 days, consider replacing the software or implementing compensating controls.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today