CVE-2025-14991 is a cross-site scripting vulnerability identified in Campcodes Complete Online Beauty Parlor Management System version 1.0. The vulnerability resides in the /admin/bwdates-reports-details.php file, where the fromdate parameter is improperly sanitized, allowing an attacker to inject malicious JavaScript code. This injection can be executed remotely without requiring authentication, although user interaction is necessary to trigger the malicious script, such as by an administrator or user visiting a crafted URL or page. The vulnerability could allow attackers to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites, compromising confidentiality and integrity. The CVSS 4.8 score reflects a medium severity, considering the ease of remote exploitation but the need for user interaction and presence of privileges. No patches have been officially released yet, and no known exploits in the wild have been reported, but public exploit code availability increases the risk of future attacks. The vulnerability affects only version 1.0 of the product, which is a niche management system primarily used by beauty parlors for appointment and business management. The lack of input validation or output encoding in the affected parameter is the root cause of this vulnerability.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions within the affected management system. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. This could disrupt business operations, lead to data leakage, or damage customer trust. Since the system is used by beauty parlors, which may store sensitive customer information such as contact details and appointment histories, the exposure of such data could have privacy implications. The remote attack vector and public availability of exploit code increase the likelihood of targeted attacks, especially against smaller businesses that may lack robust cybersecurity defenses. However, the requirement for user interaction and administrative privileges limits the scope somewhat, reducing the risk of automated widespread exploitation. Overall, the vulnerability could facilitate targeted attacks against businesses using this software, potentially leading to reputational damage and operational disruptions.

To mitigate this vulnerability, organizations should first check for any official patches or updates from Campcodes and apply them promptly once available. In the absence of patches, implement strict input validation and output encoding on the fromdate parameter to neutralize any injected scripts. Employ a web application firewall (WAF) with rules designed to detect and block XSS payloads targeting this parameter. Restrict access to the /admin directory to trusted IP addresses or VPN users to reduce exposure. Educate administrators and users to avoid clicking on suspicious links or URLs that could trigger the XSS exploit. Regularly audit and monitor web server logs for unusual requests or attempts to exploit the fromdate parameter. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser. Finally, conduct security awareness training for staff to recognize phishing or social engineering attempts that could leverage this vulnerability.