CVE-2025-7455 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Movie Theater Seat Reservation System. The vulnerability resides in the /manage_reserve.php file, specifically in the handling of the 'mid' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This could lead to unauthorized data disclosure, data modification, or even deletion, depending on the database privileges. The vulnerability requires no authentication or user interaction, making it exploitable by any remote attacker with network access to the affected system. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated low individually, but combined they can lead to significant compromise of the reservation system's data integrity and confidentiality. No patches or mitigations have been publicly disclosed yet, and while no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation.

For European organizations operating or using the Campcodes Online Movie Theater Seat Reservation System, this vulnerability poses a tangible risk to customer data privacy and operational continuity. Exploitation could lead to unauthorized access to sensitive customer information such as reservation details, personal identifiers, and payment-related data if stored in the database. Additionally, attackers could manipulate reservation data, causing operational disruptions, double bookings, or denial of service to legitimate customers. This could damage customer trust and lead to regulatory non-compliance, especially under GDPR, which mandates strict data protection and breach notification requirements. The potential for data integrity compromise may also affect business analytics and reporting. Given the remote exploitability and lack of required authentication, attackers could target these systems en masse, increasing the risk of widespread impact across multiple theaters or chains in Europe.

Immediate mitigation should focus on input validation and parameterized queries to prevent SQL injection. Specifically, developers should sanitize and validate the 'mid' parameter in /manage_reserve.php, employing prepared statements or stored procedures to handle database queries securely. Until a vendor patch is available, organizations should implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'mid' parameter. Network segmentation should be applied to limit external access to the reservation system backend. Regular monitoring of logs for suspicious query patterns or repeated failed requests to /manage_reserve.php is recommended. Organizations should also conduct code reviews and penetration testing focused on SQL injection vectors. Finally, maintaining up-to-date backups of reservation data will help recovery in case of data corruption or deletion due to exploitation.