CVE-2019-25440

HIGH

WebIncorp ERP - Unauthenticated SQL Injection via prod_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25440. PoCs published by n1x_.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in WebIncorp ERP's product_detail.php via the prod_id parameter. The provided GET request shows a simple SQLi payload that can be used to manipulate the query.

Description

WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC
by n1x_ · textwebappsphp
https://www.exploit-db.com/exploits/47199

This exploit demonstrates a SQL injection vulnerability in WebIncorp ERP's product_detail.php via the prod_id parameter. The provided GET request shows a simple SQLi payload that can be used to manipulate the query.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WebIncorp ERP (all versions)
No auth needed
Prerequisites: Access to the target application's product_detail.php endpoint
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47199

Scores

CVSS v3 8.2
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Webincorp/WebIncorp ERP
Published Feb 22, 2026
Tracked Since Feb 22, 2026