CVE-2019-25492

HIGH

Doditsolutions Homey BNB (Airbnb Clone Script) >=V4 - Unauthenticated SQL Injection via 'pt' Parameter in getcmsdata.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25492. PoCs published by Ahmet Ümit BAYRAM.

AI-analyzed exploit summary The exploit demonstrates multiple SQL injection vulnerabilities in Homey BNB (Airbnb Clone Script) V4, including time-based and boolean-based payloads, as well as an authentication bypass. The PoCs target specific GET parameters in various endpoints, confirming the presence of exploitable SQLi flaws.

Description

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by Ahmet Ümit BAYRAM · textwebappsphp

https://www.exploit-db.com/exploits/46616

View Code ZIP pw:eip

The exploit demonstrates multiple SQL injection vulnerabilities in Homey BNB (Airbnb Clone Script) V4, including time-based and boolean-based payloads, as well as an authentication bypass. The PoCs target specific GET parameters in various endpoints, confirming the presence of exploitable SQLi flaws.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Homey BNB (Airbnb Clone Script) V4

No auth needed

Prerequisites: Access to the target application · Network connectivity to the vulnerable endpoints

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 28, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-getcmsdataphp

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/46616

Various Sources product

https://www.doditsolutions.com/airbnb-clone-script/

Scores

CVSS v3 8.2

EPSS 0.0032

EPSS Percentile 23.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

doditsolutions/airbnb_clone_script 4

Doditsolutions/Homey BNB (Airbnb Clone Script) V4

Published Feb 27, 2026

Tracked Since Feb 28, 2026