CVE-2019-25524

HIGH

XooGallery Latest - Unauthenticated SQL Injection via 'p' Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25524. PoCs published by Ahmet Ümit BAYRAM.

AI-analyzed exploit summary The exploit demonstrates multiple SQL injection vulnerabilities in XooGallery by providing specific payloads for vulnerable GET parameters (gal_id, photo_id, cat_id, p). Each payload is designed to confirm SQLi via boolean-based techniques.

Description

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to bypass authentication, extract sensitive data, or modify database contents.

Exploits (1)

exploitdb WORKING POC
by Ahmet Ümit BAYRAM · textwebappsphp
https://www.exploit-db.com/exploits/46609

The exploit demonstrates multiple SQL injection vulnerabilities in XooGallery by providing specific payloads for vulnerable GET parameters (gal_id, photo_id, cat_id, p). Each payload is designed to confirm SQLi via boolean-based techniques.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: XooGallery (Latest version as of 2019)
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Mar 12, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46609

Scores

CVSS v3 8.2
EPSS 0.0039
EPSS Percentile 30.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
xooscripts/xoogallery
Published Mar 12, 2026
Tracked Since Mar 12, 2026