CVE-2025-15214

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in Campcodes Park Ticketing System version 1.0. The flaw resides in the save_pricing function within the admin_class.php file. The application does not properly sanitize user-supplied input in the name parameter, allowing an attacker to store arbitrary HTML and JavaScript payloads on the server [2].

Exploitation

The attack requires no authentication according to the published proof of concept, as the vulnerable endpoint is accessible remotely. An attacker can inject a malicious script into the name parameter via the admin_class.php form. When the pricing page is subsequently loaded by any user, including administrators, the stored script executes in the context of their browser session [2].

Impact

Successful exploitation enables the attacker to execute arbitrary script code in the browsers of users who visit the affected page. This can lead to session hijacking, theft of sensitive information, or defacement of the administrative interface. The CVSS v3 score for this issue is 2.4 (Low), reflecting the requirement that an administrator-level interaction is typically needed to view the stored pricing entries [1].

Mitigation

The vulnerability has been publicly disclosed with a working proof of concept [2]. As of the publication date, Campcodes has not released a patch for this issue in their free source code distribution. Users are advised to sanitise input from the name and ride parameters before storing or displaying data, or to restrict access to the admin panel until a vendor-supplied update is available.