Login Sign Up

CVE-2025-7457

7.3 HIGH
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Campcodes Online Movie Theater Seat Reservation System 1.0 allows attackers to manipulate database queries via the ID parameter in /admin/manage_movie.php. Attackers can potentially read, modify, or delete database content remotely. All users running version 1.0 of this system are affected.

💻 Affected Systems

Products:
  • Campcodes Online Movie Theater Seat Reservation System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Online Movie Theater Seat Reservation System by Campcodes

View all CVEs affecting Online Movie Theater Seat Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data theft (user credentials, payment info), data destruction, and potential server takeover via SQL injection to RCE escalation.

🟠

Likely Case

Unauthorized data access and modification, privilege escalation to admin accounts, and potential data exfiltration from the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin access to reach /admin/manage_movie.php endpoint. SQL injection techniques are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the ID parameter to only accept expected values

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting /admin/manage_movie.php

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system from critical databases
  • Deploy intrusion detection systems to monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test the /admin/manage_movie.php endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1)

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts to admin panel followed by SQL injection attempts

Network Indicators:

  • HTTP requests to /admin/manage_movie.php containing SQL keywords (UNION, SELECT, INSERT, etc.)

SIEM Query:

source="web_logs" AND uri="/admin/manage_movie.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-7457
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (12.4th percentile)
Published: July 11, 2025
Last Updated: July 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7457, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)