CVE-2025-15214 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-15214?

CVE-2025-15214 has a CVSS score of 2.4 (LOW). This vulnerability allows attackers to inject malicious scripts into the Campcodes Park Ticketing System 1.0 through the save_pricing function in admin_class.php. The cross-site scripting (XSS) attack can be performed remotely and may affect administrators or users who view manipulated content. The exploit is publicly available, increasing the risk of exploitation.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Campcodes Park Ticketing System 1.0 through the save_pricing function in admin_class.php. The cross-site scripting (XSS) attack can be performed remotely and may affect administrators or users who view manipulated content. The exploit is publicly available, increasing the risk of exploitation.

💻 Affected Systems

Products:

Campcodes Park Ticketing System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to the save_pricing function, but exploitation can be performed remotely.

📦 What is this software?

Park Ticketing System by Campcodes

View all CVEs affecting Park Ticketing System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions on behalf of authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized administrative access, data theft, or website defacement.

🟢

If Mitigated

Limited impact if input validation and output encoding are properly implemented, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com, making it accessible to attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding as a workaround, or replace the software with a secure alternative.

🔧 Temporary Workarounds

Implement Input Validation and Output Encoding

all

Add server-side validation to sanitize the 'name' and 'ride' parameters in admin_class.php, and encode output to prevent script execution.

Edit admin_class.php to add htmlspecialchars() or similar functions around user inputs in save_pricing function.

Restrict Admin Access

all

Limit access to the admin interface to trusted IP addresses only.

Add IP whitelisting rules in .htaccess or web server configuration for the admin directory.

🧯 If You Can't Patch

Deploy a web application firewall (WAF) with XSS protection rules.
Monitor admin access logs for unusual activity and implement strong session management.

🔍 How to Verify

Check if Vulnerable:

Review the admin_class.php file for the save_pricing function and check if input sanitization is applied to 'name' and 'ride' parameters.

Check Version:

Check the software version in the system's admin panel or configuration files.

Verify Fix Applied:

Test the save_pricing functionality with script payloads to ensure they are properly encoded or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to admin_class.php with script tags or JavaScript in parameters.
Multiple failed login attempts followed by admin access.

Network Indicators:

Traffic to admin endpoints containing malicious script patterns.

SIEM Query:

source="web_logs" AND uri="/admin_class.php" AND (param="name" OR param="ride") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-15214

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.8th percentile)

Published: December 30, 2025

Last Updated: January 7, 2026

🔗 References

https://github.com/dobkill/CVE/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.338599 Permissions Required,VDB Entry
https://vuldb.com/?id.338599 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.725104 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.728898 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15214, you might also want to check these: