CVE-2019-25507

HighPublic PoC

Published: 04 March 2026

Published

04 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0012 30.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers can send GET requests to index.php with malicious 'shop' values using UNION-based SQL injection…

to extract sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the 'shop' parameter in index.php to block SQL injection payloads.

SI-2 Flaw Remediation good match

preventrecover

Mandates identification, reporting, and correction of the SQL injection flaw to eliminate insufficient input sanitization.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection via web application firewalls can inspect and block malicious GET requests targeting the 'shop' parameter.

Security SummaryAI

CVE-2019-25507 is an SQL injection vulnerability (CWE-89) in Ashop Shopping Cart Software. The flaw resides in the 'shop' parameter of index.php, where insufficient input sanitization allows attackers to inject arbitrary SQL code into database queries.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted GET requests to index.php with malicious values in the 'shop' parameter. Using UNION-based SQL injection techniques, they can extract sensitive information from the database. The CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects network accessibility with low complexity, no privileges or user interaction required, resulting in high confidentiality impact and low integrity impact.

References including Exploit-DB (exploit 46643) and a Vulncheck advisory detail the vulnerability and provide a proof-of-concept exploit demonstrating the SQL injection via the 'shop' parameter. No patches or specific mitigations are outlined in the available information.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE-2019-25507 is an unauthenticated SQL injection in a public-facing web application (T1190), enabling arbitrary database queries to extract sensitive information (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46643
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/ashop-shopping-cart-software-lastest-sql-injection-via-indexphp
disclosure@vulncheck.com