CVE-2019-25453

MEDIUM

phpMoAdmin 1.1.5 - Unauthenticated Reflected Cross-Site Scripting via newdb Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25453. PoCs published by Ozer Goker.

AI-analyzed exploit summary The exploit demonstrates multiple CSRF and XSS vulnerabilities in phpMoAdmin 1.1.5. It includes functional HTML forms for CSRF attacks and payloads for reflected and stored XSS, targeting the 'db', 'newdb', and 'collection' parameters.

Description

phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute arbitrary code in users' browsers when they visit the malicious link.

Exploits (1)

exploitdb WORKING POC
by Ozer Goker · textwebappsphp
https://www.exploit-db.com/exploits/46082

The exploit demonstrates multiple CSRF and XSS vulnerabilities in phpMoAdmin 1.1.5. It includes functional HTML forms for CSRF attacks and payloads for reflected and stored XSS, targeting the 'db', 'newdb', and 'collection' parameters.

Classification
Working Poc 95%
Attack Type
Xss | Csrf
Complexity
Trivial
Reliability
Reliable
Target: phpMoAdmin 1.1.5
No auth needed
Prerequisites: Access to the target application · Victim interaction for CSRF
devstral-2 · analyzed Feb 21, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46082
Various Sources product
http://www.phpmoadmin.com/

Scores

CVSS v3 6.1
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
phpmoadmin/phpmoadmin 1.1.5
Phpmoadmin/phpMoAdmin 1.1.5
Published Feb 20, 2026
Tracked Since Feb 21, 2026