CVE-2025-7151 is a vulnerability identified in Campcodes Advanced Online Voting System version 1.0. The issue arises from an unrestricted file upload vulnerability in the /admin/voters_add.php endpoint, specifically through manipulation of the 'photo' argument. This vulnerability allows an attacker to upload arbitrary files without proper validation or restriction, potentially enabling remote code execution or other malicious activities. The vulnerability is exploitable remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and the requirement of low privileges (PR:L) for exploitation. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The unrestricted upload flaw could allow attackers to deploy web shells or malware, compromise the voting system's integrity, manipulate election data, or disrupt availability, undermining trust in the voting process. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked yet.

For European organizations, particularly those involved in electoral processes or civic engagement platforms using Campcodes Advanced Online Voting System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access and manipulation of voter data, alteration of election results, or denial of service, thereby threatening democratic processes and public trust. Given the critical nature of election integrity in Europe, any compromise could have severe political and social consequences. Additionally, the presence of malicious files on election infrastructure could serve as a foothold for broader network compromise, potentially affecting other connected systems. Organizations relying on this software without timely mitigation may face regulatory scrutiny under GDPR for failing to protect personal data. The medium CVSS score suggests moderate risk, but the critical context of election systems elevates the potential impact beyond typical IT environments.

Immediate mitigation steps include restricting access to the /admin/voters_add.php endpoint through network segmentation and strict access controls, limiting it only to trusted administrative users and IP addresses. Implementing web application firewalls (WAFs) with rules to detect and block suspicious file uploads can reduce exploitation risk. Administrators should audit the server for any unauthorized files and monitor logs for unusual upload activity. Since no official patches are currently available, organizations should consider disabling the photo upload feature temporarily or replacing the vulnerable component with a more secure alternative. Additionally, enforcing strict file type validation, size limits, and scanning uploaded files for malware can mitigate risk once uploads are necessary. Regular backups and incident response plans tailored to election systems should be reviewed and updated to handle potential compromises. Finally, organizations should monitor threat intelligence feeds for any emerging exploits or patches related to CVE-2025-7151.