CVE Alert: CVE-2025-10810 - Campcodes - Online Learning Management System

CVE-2025-10810

HIGHNo exploitation known

A vulnerability was detected in Campcodes Online Learning Management System 1.0. The impacted element is an unknown function of the file /admin/edit_user.php. Performing manipulation of the argument firstname results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Learning Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-22T18:32:06.813Z

Updated

2025-09-22T18:32:06.813Z

References

https://vuldb.com/?id.325168

https://vuldb.com/?ctiid.325168

https://vuldb.com/?submit.654435

https://github.com/luyisi-7/CVE/issues/1

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: public exploit available for remote SQL injection in Campcodes OLMS; urgent remediation advised.

Why this matters

Exposed student/staff data could be queried or altered without authentication, risking data confidentiality and integrity. While CVSS indicates low CIA impact, the lack of auth and remote access elevates the attacker’s ability to automatedly probe and exfiltrate information or seed further compromise.

Most likely attack path

An attacker can target the admin edit_user.php endpoint over the network, injecting SQL via the firstname parameter. No user interaction or credentials are required, and successful exploitation can reveal or modify user data within the affected database (Scope Unchanged). The vulnerability lends itself to automated scanning and data exfiltration attempts, with limited lateral movement unless broader DB access is misconfigured.

Who is most exposed

Organisations hosting Campcodes OLMS online, particularly universities and training providers with internet-facing admin interfaces, are at risk—especially if they rely on the 1.0 release and have not applied any mitigations.

Detection ideas

Logs showing unusual firstname payloads targeting edit_user.php
Database errors or slow queries tied to user-edit operations
Anomalous data reads/writes for user records
spikes in 500/502 errors from the admin path
WAF alerts for SQL injection patterns on /admin/edit_user.php

Mitigation and prioritisation

Patch to a fixed version or apply vendor-supplied fixes immediately.
If patching is delayed, implement WAF rules and input validation to block SQL payloads; disable direct admin access from the internet where feasible.
Enforce parameterised queries, least-privilege DB accounts, and proper authentication/authorisation for admin endpoints.
Harden configuration: restrict/admin IP whitelisting, remove or obfuscate legacy admin paths.
Change-management: test in staging, then roll out with logging enhancements.
If KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10810, online-learning-management-system, OSINT, threatintel

CVE Alert: CVE-2025-10810 – Campcodes – Online Learning Management System