CVE-2025-7840 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Campcodes Online Movie Theater Seat Reservation System. The vulnerability resides in the 'Reserve Your Seat' page, specifically within the /index.php?page=reserve endpoint. The issue arises from improper sanitization or validation of user-supplied input in the 'Firstname' and 'Lastname' parameters, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload, such as when a victim views a crafted page or input. The CVSS 4.0 score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is needed to execute the attack. The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability or system control. Since the exploit has been publicly disclosed, there is an increased risk of exploitation, although no known active exploits have been reported in the wild. The vulnerability could be leveraged to steal session cookies, perform phishing, or conduct other client-side attacks against users of the system, potentially leading to account compromise or unauthorized actions within the reservation system.

For European organizations operating or using the Campcodes Online Movie Theater Seat Reservation System, this vulnerability poses a risk to the confidentiality and integrity of user data. Attackers could exploit the XSS flaw to hijack user sessions, redirect users to malicious sites, or perform actions on behalf of users without their consent. This could lead to reputational damage, loss of customer trust, and potential regulatory scrutiny under GDPR if personal data is compromised. Although the direct impact on system availability is minimal, the indirect effects such as phishing or social engineering attacks could have broader security implications. Organizations relying on this system for customer interactions may face increased support costs and operational disruptions. The risk is heightened by the public disclosure of the exploit, which lowers the barrier for attackers to craft and deploy attacks targeting vulnerable installations.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, particularly the 'Firstname' and 'Lastname' fields on the reservation page. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the execution of unauthorized scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Since no official patch is currently available, organizations should consider temporary workarounds such as disabling or restricting the vulnerable reservation functionality or sanitizing inputs at the web server or proxy level. Regular security assessments and penetration testing should be conducted to identify and remediate similar issues. User education on recognizing phishing and suspicious links is also recommended to reduce the risk of successful exploitation. Monitoring logs for unusual activity related to the reservation system can help detect attempted attacks early.