CVE-2019-25433

HIGH

XOOPS CMS 2.5.9 - Unauthenticated SQL Injection via gerar_pdf.php cid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25433. PoCs published by felipe andrian.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in XOOPS CMS v2.5.9 via the 'cid' parameter in the 'gerar_pdf.php' script. It provides a direct URL for exploitation, indicating a functional proof-of-concept.

Description

XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC
by felipe andrian · textwebappsphp
https://www.exploit-db.com/exploits/46835

The exploit demonstrates a SQL injection vulnerability in XOOPS CMS v2.5.9 via the 'cid' parameter in the 'gerar_pdf.php' script. It provides a direct URL for exploitation, indicating a functional proof-of-concept.

Classification
Working Poc 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: XOOPS CMS v2.5.9
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46835
Various Sources product
https://xoops.org/

Scores

CVSS v3 8.2
EPSS 0.0026
EPSS Percentile 17.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Xoops/XOOPS CMS 2.5.9
Published Feb 22, 2026
Tracked Since Feb 22, 2026