CVE-2025-7149 is a SQL Injection vulnerability identified in Campcodes Advanced Online Voting System version 1.0. The flaw exists in the /admin/candidates_delete.php file, specifically through the manipulation of the 'ID' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code remotely without requiring user interaction or authentication. The vulnerability enables an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. Given that this is an online voting system, exploitation could compromise the integrity of election data, manipulate candidate information, or disrupt the voting process. Although the CVSS 4.0 base score is 5.3 (medium severity), the context of the affected system elevates the risk profile due to the critical nature of election systems. The vulnerability is publicly disclosed, increasing the likelihood of exploitation attempts, although no known exploits in the wild have been reported yet. The attack vector is network-based with low attack complexity and no privileges or user interaction required, which facilitates remote exploitation by threat actors.

For European organizations, especially governmental bodies or electoral commissions using Campcodes Advanced Online Voting System 1.0, this vulnerability poses a significant threat to the confidentiality, integrity, and availability of election data. Successful exploitation could lead to unauthorized disclosure of sensitive voter or candidate information, alteration or deletion of candidate records, and ultimately manipulation of election outcomes. This undermines public trust in democratic processes and could have severe political and social consequences. Additionally, disruption of the voting system availability during critical election periods could impede voting operations. Even organizations indirectly involved in election infrastructure or third-party service providers using this software could face reputational damage and legal liabilities under European data protection regulations such as GDPR if voter data is compromised.

1. Immediate patching or upgrading to a fixed version of Campcodes Advanced Online Voting System is the most effective mitigation; however, no patch links are currently provided, so organizations should contact the vendor for updates. 2. Implement strict input validation and parameterized queries or prepared statements in the affected /admin/candidates_delete.php script to prevent SQL injection. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter. 4. Restrict access to the administrative interface via network segmentation, VPNs, or IP whitelisting to reduce exposure. 5. Conduct thorough security audits and penetration testing focused on injection flaws in election-related systems. 6. Monitor logs for suspicious database queries or repeated failed attempts to manipulate the 'ID' parameter. 7. Establish incident response plans specifically addressing election system compromises to ensure rapid containment and recovery.