CVE-2025-7456 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Movie Theater Seat Reservation System. The flaw exists in the /reserve.php file, specifically in the handling of the 'ID' parameter. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the risk of automated or widespread attacks. The CVSS 4.0 score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although the vulnerability is classified as critical in the description, the CVSS score and vector suggest a medium severity due to limited impact scope and partial control over data. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability could allow attackers to extract sensitive data, modify reservation records, or disrupt seat booking operations, potentially impacting the service's reliability and user trust.

For European organizations using the Campcodes Online Movie Theater Seat Reservation System, this vulnerability poses a significant risk to the confidentiality and integrity of customer data and reservation information. Exploitation could lead to unauthorized disclosure of personal data, including customer identities and booking details, which may violate GDPR regulations and result in legal and financial penalties. Additionally, attackers could manipulate seat reservations, causing operational disruptions and customer dissatisfaction. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially targeting high-traffic theaters or chains relying on this system. The impact extends beyond individual theaters to potentially affect brand reputation and customer trust across Europe, particularly if personal data breaches occur.

Given the absence of an official patch, European organizations should immediately implement input validation and parameterized queries or prepared statements in the /reserve.php script to prevent SQL injection. Employing web application firewalls (WAFs) with specific rules to detect and block SQL injection attempts targeting the 'ID' parameter can provide interim protection. Conduct thorough code reviews and penetration testing focused on injection flaws. Restrict database permissions to the minimum necessary for the application to limit damage in case of exploitation. Monitor logs for suspicious activities related to reservation requests. Organizations should also engage with the vendor to obtain patches or updates and plan for prompt deployment once available. Additionally, consider isolating the reservation system network segment to reduce exposure.