CVE-2019-25538

HIGH

202CMS v10 beta - Unauthenticated SQL Injection via log_user Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25538. PoCs published by Mehmet EMIROGLU.

AI-analyzed exploit summary The exploit demonstrates blind SQL injection vulnerabilities in 202CMS v10 beta via the 'log_user' parameter in index.php and 'reg_user'/'reg_mail' parameters in register.php. It uses time-based payloads (SLEEP) to confirm the vulnerability.

Description

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send crafted requests with malicious SQL statements in the log_user field to extract sensitive database information or modify database contents.

Exploits (1)

exploitdb WORKING POC
by Mehmet EMIROGLU · textwebappsphp
https://www.exploit-db.com/exploits/46579

The exploit demonstrates blind SQL injection vulnerabilities in 202CMS v10 beta via the 'log_user' parameter in index.php and 'reg_user'/'reg_mail' parameters in register.php. It uses time-based payloads (SLEEP) to confirm the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: 202CMS v10 beta
No auth needed
Prerequisites: access to the login or registration page
devstral-2 · analyzed Mar 12, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46579

Scores

CVSS v3 8.2
EPSS 0.0037
EPSS Percentile 28.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
konradpl99/202cms 10.0 beta
Published Mar 12, 2026
Tracked Since Mar 12, 2026