CVE-2025-15214 identifies a cross-site scripting vulnerability in Campcodes Park Ticketing System version 1.0, specifically within the save_pricing function of the admin_class.php file. The vulnerability arises from improper sanitization of user-controlled input parameters 'name' and 'ride', which are processed without adequate validation or encoding. This flaw enables an attacker to inject malicious JavaScript code remotely, which executes in the context of an administrative user’s browser. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and user interaction (UI:P), indicating that the attacker must have administrative access and trick the admin into triggering the payload. The vulnerability does not impact confidentiality, integrity, or availability directly (VC:N, VI:L, VA:N), but can lead to indirect consequences such as session hijacking or unauthorized actions performed by the admin. No authentication bypass or scope changes are involved. Although no known exploits are currently active in the wild, the public availability of exploit code increases the risk of exploitation. The vulnerability is categorized as medium severity with a CVSS 4.8 score, reflecting moderate risk primarily due to the requirement for administrative privileges and user interaction. The lack of official patches or mitigation guidance from the vendor necessitates proactive defensive measures by affected organizations.

For European organizations using Campcodes Park Ticketing System 1.0, this vulnerability poses a risk primarily to administrative users who manage pricing configurations. Successful exploitation could allow attackers to execute arbitrary scripts in the admin’s browser, potentially leading to session hijacking, unauthorized changes to ticket pricing, or redirection to malicious sites. This could disrupt business operations, damage reputation, and result in financial losses. Since the system is used in park ticketing, any compromise could impact customer trust and data integrity. The medium severity and requirement for high privileges limit the scope but do not eliminate risk, especially in environments with weak internal controls or insufficient user training. European amusement parks and tourism operators relying on this system may face targeted attacks aiming to disrupt services during peak seasons or exploit financial transactions. Additionally, regulatory compliance under GDPR requires organizations to protect administrative interfaces from such vulnerabilities to avoid penalties.

1. Implement strict input validation and output encoding on the 'name' and 'ride' parameters within the save_pricing function to neutralize malicious scripts. 2. Restrict access to the administrative interface using network segmentation, VPNs, or IP whitelisting to limit exposure. 3. Enforce multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. 4. Conduct regular security training for administrators to recognize phishing or social engineering attempts that could trigger the XSS payload. 5. Monitor logs and web traffic for unusual activity related to the save_pricing function or admin interface. 6. If vendor patches become available, apply them promptly. 7. Consider deploying web application firewalls (WAF) with custom rules to detect and block XSS payloads targeting this vulnerability. 8. Review and harden session management to prevent session hijacking in case of successful script execution. 9. Perform periodic security assessments and code reviews of the ticketing system to identify and remediate similar vulnerabilities.