EUVD-2025-21275Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability, which was classified as critical, was found in Campcodes Online Movie Theater Seat Reservation System 1.0. This affects the function save_movie of the file /admin/admin_class.php. The manipulation of the argument cover leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7547 is a critical unrestricted file upload vulnerability in Campcodes Online Movie Theater Seat Reservation System version 1.0, affecting the save_movie function in /admin/admin_class.php. An unauthenticated remote attacker can manipulate the 'cover' parameter to upload arbitrary files, potentially leading to remote code execution, data compromise, and service disruption. The exploit has been publicly disclosed and may be actively exploited in the wild.
Technical ContextAI
The vulnerability exists in a PHP-based web application (Campcodes Online Movie Theater Seat Reservation System 1.0) where the admin_class.php file handles movie data persistence. The save_movie function fails to implement proper file upload validation on the 'cover' parameter, allowing arbitrary file types to be uploaded without extension, MIME type, or content validation. This is classified under CWE-284 (Improper Access Control), but more accurately represents CWE-434 (Unrestricted Upload of File with Dangerous Type) patterns. The application appears to be built on PHP with direct file system write capabilities, making arbitrary PHP file uploads particularly dangerous. CPE identifier: cpe:2a:campcodes:online_movie_theater_seat_reservation_system:1.0:*:*:*:*:*:*:*
RemediationAI
{'type': 'Immediate Mitigation', 'action': 'Restrict access to /admin/admin_class.php to authenticated users only using web server configuration (Apache/Nginx/.htaccess rules) or application-level authentication checks'} {'type': 'Input Validation', 'action': 'Implement strict file upload validation in save_movie function: (1) Whitelist allowed file extensions (.jpg, .jpeg, .png, .gif only), (2) Validate MIME types server-side using php_fileinfo, (3) Check file content headers (magic bytes), (4) Store uploads outside web root or in non-executable directory, (5) Rename uploaded files with random identifiers'} {'type': 'Patching', 'action': 'Contact Campcodes for security update. If unavailable, consider alternative solutions or fork/patch internally. Check vendor website/GitHub for CVE-2025-7547 patch availability'} {'type': 'Deployment Hardening', 'action': 'Disable PHP execution in upload directories via web server configuration (.htaccess: AddType text/plain .php, or nginx location directive)'} {'type': 'Monitoring', 'action': 'Monitor /admin/admin_class.php for unusual POST requests, implement file integrity monitoring on upload directories, log all file upload attempts with source IP and filename'}
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today