CVE-2019-25697

HIGH

CMSsite 1.0 SQL Injection via category.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25697. PoCs published by Majid kalantari.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in CMSsite 1.0 via the 'cat_id' parameter in category.php. The payload injects a UNION SELECT query to extract database information, confirming the vulnerability.

Description

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials.

Exploits (1)

exploitdb WORKING POC
by Majid kalantari · textwebappsphp
https://www.exploit-db.com/exploits/46259

This exploit demonstrates a SQL injection vulnerability in CMSsite 1.0 via the 'cat_id' parameter in category.php. The payload injects a UNION SELECT query to extract database information, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: CMSsite 1.0
No auth needed
Prerequisites: access to the vulnerable endpoint
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-46259
https://www.exploit-db.com/exploits/46259
Third Party Advisory third-party-advisory
VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php
https://www.vulncheck.com/advisories/cmssite-sql-injection-via-category-php

Scores

CVSS v3 8.2
EPSS 0.0041
EPSS Percentile 33.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
victoralagwu/cmssite 1.0
VictorAlagwu/CMSsite 1.0
Published Apr 12, 2026
Tracked Since Apr 12, 2026