How to fix EUVD-2025-21183?

Within 24 hours: Identify all systems running Campcodes version 1.0 and isolate them from production networks if possible; restrict access to /reserve.php to known administrative IPs only; enable comprehensive logging on the affected application. Within 7 days: Deploy WAF rules to block SQL injection patterns targeting the ID parameter; conduct forensic review of database access logs for signs of exploitation; notify affected customers of the vulnerability. Within 30 days: Evaluate migration to a patched version or alternative booking system; implement network segmentation to limit database access; conduct full security assessment of the application.

Is PHP affected by EUVD-2025-21183?

A SQL injection vulnerability in the Campcodes Online Movie Theater Seat Reservation System allows remote attackers to compromise the booking database without authentication.

EUVD-2025-21183

| CVE-2025-7456 HIGH

2025-07-11 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 08:18 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 08:18 euvd

EUVD-2025-21183

PoC Detected

Jul 16, 2025 - 14:59 vuln.today

Public exploit code

CVE Published

Jul 11, 2025 - 20:15 nvd

HIGH 7.3

Description

A vulnerability, which was classified as critical, has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. Affected by this issue is some unknown functionality of the file /reserve.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7456 is a critical SQL injection vulnerability in Campcodes Online Movie Theater Seat Reservation System version 1.0, affecting the /reserve.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the reservation database. Public exploit code is available, indicating active disclosure risk.

Technical Context

The vulnerability is a CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) manifestation, specifically SQL injection. The /reserve.php endpoint fails to properly sanitize or parameterize the ID parameter before incorporating it into SQL queries. This is a classic first-order SQL injection where user-supplied input reaches the SQL parser without adequate escaping or prepared statement usage. The affected product is a web-based reservation system written in PHP, indicating likely use of mysqli or PDO libraries without parameterized queries. CPE identifier would be: cpe:2.3:a:campcodes:online_movie_theater_seat_reservation_system:1.0:*:*:*:*:*:*:*

Affected Products

- vendor: Campcodes; product: Online Movie Theater Seat Reservation System; affected_version: 1.0; vulnerable_component: /reserve.php (ID parameter); cpe: cpe:2.3:a:campcodes:online_movie_theater_seat_reservation_system:1.0:*:*:*:*:*:*:*

Remediation

patch: Contact Campcodes for security patch or upgrade timeline input_validation: $id = (int)$_GET['id']; if($id <= 0) { reject request; } waf_mitigation: Block requests containing SQL keywords (UNION, SELECT, DROP, etc.) in the ID parameter access_control: Implement authentication checks before processing ID parameter

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

EUVD-2025-21183 vulnerability details – vuln.today

Back

EUVD-2025-21183

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-21183

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code