CVE-2019-25541

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0017 37.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. Attackers can inject time-based blind SQL payloads via the 'id' parameter in index.php or the 'Email' parameter in loginaction.php to…

extract sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating and sanitizing untrusted inputs like the 'id' parameter in index.php and 'Email' parameter in loginaction.php before database query construction.

SI-2 Flaw Remediation good match

prevent

Remediates the specific SQL injection flaws in Netartmedia PHP Mall 4.1 through identification, correction, and testing of vulnerable code in index.php and loginaction.php.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on input parameters to limit or block malicious SQL payloads, complementing validation for the time-based blind SQL injection vectors.

Security SummaryAI

Netartmedia PHP Mall 4.1 is affected by CVE-2019-25541, a set of multiple SQL injection vulnerabilities classified under CWE-89. These flaws arise from unvalidated user inputs in specific parameters, enabling attackers to manipulate database queries. Vulnerable endpoints include the 'id' parameter in index.php and the 'Email' parameter in loginaction.php, which accept time-based blind SQL payloads without proper sanitization.

Unauthenticated remote attackers can exploit these vulnerabilities with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation allows extraction of sensitive database information, such as credentials or other confidential data, through blind SQL injection techniques that infer results via query timing delays. The high confidentiality impact stems from potential data leakage, with limited integrity disruption.

Advisories from Vulncheck detail the multiple SQL injection issues and reference proof-of-concept exploits available on Exploit-DB (exploit 46562), confirming the attack vectors in index.php and loginaction.php. No patches or specific mitigation steps are outlined in the provided references, emphasizing the need for input validation, prepared statements, or upgrading to a non-vulnerable version if available.

Details

CWE(s): CWE-89

Affected Products

netartmedia

php mall

4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing PHP web application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1213.006 (Data from Information Repositories: Databases) via unauthorized database query manipulation and sensitive data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46562
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/netartmedia-php-mall-multiple-sql-injection-2
Third Party Advisory · disclosure@vulncheck.com