CVE-2019-25503

HIGH

PHPads 2.0 - Unauthenticated SQL Injection via click.php3 bannerID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25503. PoCs published by felipe andrian.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in PHPads Version 2.0, specifically in the 'click.php3' file where the 'bannerID' parameter is vulnerable. The PoC includes crafted SQL injection payloads that extract database information.

Description

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue to extract sensitive database information such as the current database name.

Exploits (1)

exploitdb WORKING POC VERIFIED
by felipe andrian · textwebappsphp
https://www.exploit-db.com/exploits/46798

The exploit demonstrates a SQL injection vulnerability in PHPads Version 2.0, specifically in the 'click.php3' file where the 'bannerID' parameter is vulnerable. The PoC includes crafted SQL injection payloads that extract database information.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: PHPads Version 2.0
No auth needed
Prerequisites: access to the vulnerable endpoint
devstral-2 · analyzed Mar 05, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46798

Scores

CVSS v3 7.1
EPSS 0.0033
EPSS Percentile 24.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
blondish/phpads 2.0
Blondish/PHPads 2.0
Published Mar 04, 2026
Tracked Since Mar 05, 2026