CVE-2019-25316

MEDIUM

GOautodial 4.0 - Authenticated Stored Cross-Site Scripting via Event Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25316. PoCs published by cakes.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GOautodial 4.0 via the 'CreateEvent' functionality. The POST request injects a malicious script into the 'title' parameter, which executes upon rendering in the application.

Description

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary JavaScript in victim browsers.

Exploits (1)

exploitdb WORKING POC VERIFIED
by cakes · textwebappsphp
https://www.exploit-db.com/exploits/47402

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GOautodial 4.0 via the 'CreateEvent' functionality. The POST request injects a malicious script into the 'title' parameter, which executes upon rendering in the application.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GOautodial 4.0
Auth required
Prerequisites: Authenticated session with valid PHPSESSID cookie
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47402
Various Sources product
https://goautodial.org/

Scores

CVSS v3 6.4
EPSS 0.0018
EPSS Percentile 8.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Goautodial/GOautodial 4.0
Published Feb 11, 2026
Tracked Since Feb 18, 2026