CVE-2025-8960 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Flight Booking Management System. The vulnerability is located in the /admin/save_airlines.php file, specifically involving the manipulation of the 'ID' parameter. An attacker can exploit this flaw remotely without any authentication or user interaction, by injecting malicious SQL code through the 'ID' argument. This could allow unauthorized access to the backend database, potentially leading to data leakage, unauthorized data modification, or disruption of database operations. The vulnerability does not require privileges or user interaction, making it easier to exploit. The CVSS 4.0 score of 6.9 reflects a medium severity, with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is rated low individually but combined could lead to significant compromise of the system's data integrity and confidentiality. No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild, although public disclosure of the exploit code increases the risk of exploitation.

For European organizations using the Campcodes Online Flight Booking Management System, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive flight booking data, including customer personal information and airline data. Exploitation could lead to unauthorized data access, data tampering, or disruption of flight booking operations, potentially causing financial losses and reputational damage. Given the critical nature of flight booking systems in travel and transportation sectors, disruption could also affect operational continuity and customer trust. Furthermore, compromised systems could be leveraged as a foothold for further attacks within the organization's network. The remote and unauthenticated nature of the exploit increases the urgency for mitigation, especially for organizations handling large volumes of personal and payment data subject to GDPR regulations, where data breaches could result in regulatory penalties.

Immediate mitigation steps include implementing input validation and parameterized queries or prepared statements in the /admin/save_airlines.php script to prevent SQL injection. Organizations should conduct a thorough code review of the affected module and related components to identify and remediate similar injection points. If possible, restrict access to the /admin directory via network-level controls such as IP whitelisting or VPN access to reduce exposure. Monitoring and logging of database queries and web application logs should be enhanced to detect suspicious activity. Since no official patch is currently available, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to block malicious SQL injection payloads targeting the 'ID' parameter. Regular backups of the database should be maintained to enable recovery in case of data corruption. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once released.