CVE-2019-25674

HIGH

CMSsite 1.0 SQL Injection via post Parameter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25674. PoCs published by Mr Winst0n.

AI-analyzed exploit summary The exploit demonstrates a time-based SQL injection vulnerability in CMSsite 1.0 via the 'post' parameter in post.php. The payload uses a sleep function to confirm the vulnerability.

Description

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send GET requests to post.php with malicious 'post' values to extract sensitive database information or perform time-based blind SQL injection attacks.

Exploits (1)

exploitdb WORKING POC
by Mr Winst0n · textwebappsphp
https://www.exploit-db.com/exploits/46402

The exploit demonstrates a time-based SQL injection vulnerability in CMSsite 1.0 via the 'post' parameter in post.php. The payload uses a sleep function to confirm the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: CMSsite 1.0
No auth needed
Prerequisites: Access to the vulnerable post.php endpoint
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3
Core References
Product product
Official Product Homepage
https://github.com/VictorAlagwu/CMSsite
Third Party Advisory third-party-advisory
VulnCheck Advisory: CMSsite 1.0 SQL Injection via post Parameter
https://www.vulncheck.com/advisories/cmssite-sql-injection-via-post-parameter
Exploit exploit
ExploitDB-46402
https://www.exploit-db.com/exploits/46402

Scores

CVSS v3 8.2
EPSS 0.0040
EPSS Percentile 32.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
victoralagwu/cmssite 1.0
VictorAlagwu/CMSsite 1.0
Published Apr 05, 2026
Tracked Since Apr 06, 2026