CVE-2019-25522

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0025 48.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication,…

or modify database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the photo_id parameter to prevent SQL injection by ensuring insufficiently sanitized inputs are checked for validity.

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of the SQL injection flaw in photo.php to eliminate the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Vulnerability scanning detects SQL injection flaws like those in photo.php, enabling timely remediation before exploitation.

Security SummaryAI

CVE-2019-25522 affects XooGallery Latest and consists of multiple SQL injection vulnerabilities (CWE-89) in the photo.php component. The flaws arise from insufficient sanitization of the photo_id parameter, enabling attackers to inject arbitrary SQL code into database queries. The vulnerability received a CVSS 3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-03-12T16:16:05.330.

Unauthenticated remote attackers can exploit these vulnerabilities by sending crafted GET requests to photo.php with malicious values in the photo_id parameter. Successful exploitation allows manipulation of database queries, resulting in extraction of sensitive data (high confidentiality impact), limited integrity modifications such as altering database contents, authentication bypass, and no direct availability impact.

Advisories and related resources, including Exploit-DB exploit 46609 and the Vulncheck advisory on XooGallery Latest multiple SQL injections via photo.php, provide further technical details and proof-of-concept exploits but do not specify patches or vendor-provided mitigations in the available information.

Details

CWE(s): CWE-89

Affected Products

xooscripts

xoogallery

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (photo.php) enables unauthenticated remote exploitation (T1190) and direct database query manipulation for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46609
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/xoogallery-lastest-latest-multiple-sql-injections-via-photo-php
Third Party Advisory · disclosure@vulncheck.com