CVE-2018-25300

HIGH

XATABoost CMS 1.0.0 SQL Injection via news.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25300. PoCs published by MgThuraMoeMyint.

AI-analyzed exploit summary This exploit demonstrates a Union-Based SQL Injection vulnerability in XATABoost CMS 1.0.0. The injection point is in the 'id' parameter of 'news.php', allowing attackers to extract sensitive data from the database.

Description

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC
by MgThuraMoeMyint · textwebappsphp
https://www.exploit-db.com/exploits/44622

This exploit demonstrates a Union-Based SQL Injection vulnerability in XATABoost CMS 1.0.0. The injection point is in the 'id' parameter of 'news.php', allowing attackers to extract sensitive data from the database.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: XATABoost CMS 1.0.0
No auth needed
Prerequisites: Access to the vulnerable 'news.php' endpoint with an injectable 'id' parameter
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-44622
https://www.exploit-db.com/exploits/44622
Product product
Official Product Homepage
http://www2.xataboost.com
Third Party Advisory third-party-advisory
VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php
https://www.vulncheck.com/advisories/xataboost-cms-sql-injection-via-news-php

Scores

CVSS v3 8.2
EPSS 0.0032
EPSS Percentile 24.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
xataboost/XATABoost CMS 1.0.0
Published Apr 29, 2026
Tracked Since Apr 30, 2026