CVE-2025-7547 is a vulnerability identified in version 1.0 of the Campcodes Online Movie Theater Seat Reservation System. The flaw exists in the 'save_movie' function within the /admin/admin_class.php file. Specifically, the vulnerability arises from improper handling of the 'cover' argument, which allows an attacker to perform an unrestricted file upload. This means that an attacker can remotely upload arbitrary files to the server without authentication or user interaction. Such unrestricted upload vulnerabilities are critical because they can enable attackers to upload malicious scripts or executables, potentially leading to remote code execution, server compromise, data theft, or service disruption. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the ease of remote exploitation without privileges or user interaction, but with limited impact on confidentiality, integrity, and availability (low to limited impact vectors). The vulnerability does not require authentication or user interaction, making it easier for attackers to exploit. However, the impact on confidentiality, integrity, and availability is assessed as low to limited, possibly due to constraints in the application environment or mitigations in place. The lack of available patches or vendor advisories at this time increases the urgency for organizations to implement compensating controls.

For European organizations using the Campcodes Online Movie Theater Seat Reservation System version 1.0, this vulnerability poses a significant risk. Successful exploitation could allow attackers to upload malicious files, potentially leading to unauthorized access, data breaches involving customer information, or disruption of reservation services. Given that this system is likely used by entertainment venues, cinemas, or event organizers, an attack could result in operational downtime, reputational damage, and financial losses due to service unavailability or data compromise. Furthermore, if the uploaded files enable remote code execution, attackers could pivot within the network, threatening broader organizational assets. The public disclosure of the vulnerability increases the risk of opportunistic attacks, especially in the absence of patches. European data protection regulations such as GDPR impose strict requirements on protecting personal data, so exploitation leading to data breaches could also result in regulatory penalties and legal consequences. The impact is particularly relevant for organizations with high customer volumes or those integrated with payment processing systems, where confidentiality and integrity of data are paramount.

Since no official patches or vendor advisories are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/ directory and the 'save_movie' function via network segmentation and firewall rules to limit exposure to trusted administrators only. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts, especially those targeting the 'cover' parameter. 3) Conducting manual code reviews or temporary code modifications to validate and sanitize the 'cover' input, restricting allowed file types and sizes to prevent arbitrary uploads. 4) Monitoring server logs for unusual upload activity or unexpected file creations in the application directories. 5) Employing intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts. 6) Planning for rapid deployment of vendor patches once available and maintaining an incident response plan tailored to web application compromises. 7) Educating administrative users about the risk and enforcing strong authentication and access controls to reduce the attack surface.