CVE-2019-25534
Published: 12 March 2026
Description
Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can submit POST requests to index.php with crafted SQL payloads in the features[]…
more
parameter to extract sensitive database information or manipulate database queries.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of inputs like the features[] parameter to block malicious SQL payloads.
Mandates identification, reporting, and correction of the specific SQL injection flaw in the PHP Car Dealer application.
Requires vulnerability scanning to detect and remediate SQL injection vulnerabilities such as CVE-2019-25534 prior to exploitation.
Security SummaryAI
CVE-2019-25534 is an SQL injection vulnerability (CWE-89) in Netartmedia PHP Car Dealer. The flaw resides in the features[] parameter processed via POST requests to index.php, where insufficient input validation allows attackers to inject and execute arbitrary SQL queries.
Unauthenticated remote attackers can exploit this vulnerability with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation enables extraction of sensitive database information or manipulation of database queries through crafted payloads.
Advisories and references, including an Exploit-DB entry (exploit 46573) and a Vulncheck advisory, document the issue and provide details on the SQL injection via the features[] parameter, with a proof-of-concept exploit available demonstrating the attack.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application enables exploitation of public-facing apps (T1190) and direct access to databases for data collection (T1213.006).