CVE-2019-25260
Published: 03 February 2026
Summary
CVE-2019-25260 is a high-severity SQL Injection (CWE-89) vulnerability in Oxid Esales (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25260 is a SQL injection vulnerability (CWE-89) affecting OXID eShop versions 6.x prior to 6.3.4, specifically in the 'sorting' parameter. This flaw allows attackers to insert malicious database content by manipulating the parameter, enabling the injection of PHP code into the database. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with network accessibility and no privileges required.
Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction by sending crafted URLs that tamper with the sorting parameter. Successful exploitation allows arbitrary PHP code execution through the injected database content, potentially leading to full server compromise.
Advisories and references, including the OXID eSales bug tracker (ID 7002) and the project's GitHub repository, point to upgrading to version 6.3.4 or later as the primary mitigation. Additional resources detail the issue, such as archived blog posts from 2019 and a proof-of-concept exploit on Exploit-DB (ID 48527).
Publicly available exploit code on Exploit-DB confirms practical exploitability, with discussions dating back to 2019 via archived vulnerability reports.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19383
Vulnerability details
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the…
more
database and execute arbitrary code through crafted URLs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing e-commerce application directly enables remote unauthenticated exploitation for code execution (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection in the 'sorting' parameter by requiring validation and sanitization of user inputs before database queries.
Ensures timely remediation of the specific SQL injection flaw through patching to OXID eShop 6.3.4 or later.
Boundary protection via web application firewalls can inspect and block crafted URLs exploiting the SQL injection in the sorting parameter.