CVE-2019-13292

CRITICAL

webERP 4.15 - SQL Injection via Payments.php Base64 Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2019-13292. PoCs published by Semen Alexandrovich Lyhin, alealeluyah, alebrestado.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in WebERP 4.15 by leveraging insecure deserialization of base64-encoded payloads passed to the `unserialize()` function. The payload is injected into the `PaidArray` parameter, confirming the vulnerability via a time-based delay.

Description

A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.

Exploits (4)

exploitdb WORKING POC
by Semen Alexandrovich Lyhin · pythonwebappsphp
https://www.exploit-db.com/exploits/47013

This exploit demonstrates a blind SQL injection vulnerability in WebERP 4.15 by leveraging insecure deserialization of base64-encoded payloads passed to the `unserialize()` function. The payload is injected into the `PaidArray` parameter, confirming the vulnerability via a time-based delay.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WebERP 4.15
Auth required
Prerequisites: Valid credentials for WebERP · Access to the target WebERP instance · PHP installed locally for payload generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by alealeluyah · poc
https://github.com/alealeluyah/CVE-2019-13292-WebERP_4.15

This repository contains a functional Python exploit for CVE-2019-13292, a blind SQL injection vulnerability in WebERP 4.15. The exploit leverages base64-encoded serialized data passed to the unserialize() function, which is then used in SQL queries without sanitization.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WebERP 4.15
Auth required
Prerequisites: valid credentials for WebERP · PHP installed for payload generation
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec WORKING POC 2 stars
by alebrestado · poc
https://github.com/alebrestado/CVE-2019-13292-WebERP_4.15

This repository contains a functional Python exploit for CVE-2019-13292, a blind SQL injection vulnerability in WebERP 4.15. The exploit leverages base64-encoded serialized data passed to the unserialize() function, which is then used in SQL queries without sanitization.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WebERP 4.15
Auth required
Prerequisites: valid credentials · PHP installed for payload generation
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 808ale · poc
https://github.com/808ale/CVE-2019-13292-WebERP_4.15

This repository contains a functional Python exploit for CVE-2019-13292, a blind SQL injection vulnerability in WebERP 4.15. The exploit leverages base64-encoded serialized payloads to inject malicious SQL queries via the 'Payments.php' endpoint, confirming vulnerability via time-based delays.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WebERP 4.15
Auth required
Prerequisites: Valid WebERP credentials · Access to the WebERP login page · PHP installed for payload generation
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47013

Scores

CVSS v3 9.8
EPSS 0.0651
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
weberp/weberp 4.15
Published Jul 04, 2019
Tracked Since Feb 18, 2026