CVE-2018-25300

HIGH

XATABoost CMS 1.0.0 SQL Injection via news.php

Title source: cna

Description

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by MgThuraMoeMyint · textwebappsphp

https://www.exploit-db.com/exploits/44622

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44622

https://www.exploit-db.com/exploits/44622

Product product

Official Product Homepage

http://www2.xataboost.com

Third Party Advisory third-party-advisory

VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php

https://www.vulncheck.com/advisories/xataboost-cms-sql-injection-via-news-php

Scores

CVSS v3 8.2

EPSS 0.0006

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

xataboost/XATABoost CMS 1.0.0

Published Apr 29, 2026

Tracked Since Apr 30, 2026