CVE-2025-8957 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Flight Booking Management System. The vulnerability exists in an unspecified function within the /flights.php file, specifically through the manipulation of the 'departure_airport_id' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an attacker to alter the intended SQL query executed by the backend database. The vulnerability can be exploited remotely without any authentication or user interaction, increasing the risk of exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (each rated low). The vulnerability could allow attackers to read or modify limited data within the database, potentially leading to unauthorized data disclosure or data tampering within the flight booking system. Although no known exploits are currently active in the wild, the public disclosure of the exploit code increases the likelihood of future exploitation. The lack of an official patch or mitigation from the vendor further elevates the risk. Given the critical role of flight booking systems in managing sensitive customer and flight data, this vulnerability poses a tangible threat to the confidentiality and integrity of booking records and potentially to operational reliability if exploited at scale.

For European organizations, especially airlines, travel agencies, and online booking platforms using the Campcodes system, this vulnerability could lead to unauthorized access to passenger booking information, including personally identifiable information (PII) and travel itineraries. Attackers could manipulate booking data, causing operational disruptions or reputational damage. The integrity of flight schedules and bookings could be compromised, potentially leading to financial losses and customer trust erosion. Additionally, attackers might leverage this vulnerability as an initial foothold to pivot into broader network segments, increasing the risk of further compromise. Given the interconnected nature of the European travel industry and the importance of data privacy under GDPR, exploitation could also result in regulatory penalties and legal consequences for affected organizations.

Organizations should immediately audit their use of the Campcodes Online Flight Booking Management System version 1.0 and identify any instances of the vulnerable software. Since no official patch is currently available, mitigation should focus on implementing web application firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the 'departure_airport_id' parameter. Input validation and parameterized queries should be enforced at the application level to sanitize inputs and prevent injection. Network segmentation should be employed to isolate the booking system from other critical infrastructure to limit lateral movement in case of compromise. Regular monitoring of database query logs and web server logs for anomalous activity related to this parameter is recommended. Organizations should also prepare incident response plans tailored to potential exploitation scenarios and stay alert for vendor updates or patches. If feasible, upgrading to a newer, patched version of the software or migrating to alternative booking platforms with secure coding practices is advisable.