Cyber Resilience

CVE-2019-25260

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25260 is a high-severity SQL Injection (CWE-89) vulnerability in Oxid Esales (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25260 is a SQL injection vulnerability (CWE-89) affecting OXID eShop versions 6.x prior to 6.3.4, specifically in the 'sorting' parameter. This flaw allows attackers to insert malicious database content by manipulating the parameter, enabling the injection of PHP code into the database. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with network accessibility and no privileges required.

Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction by sending crafted URLs that tamper with the sorting parameter. Successful exploitation allows arbitrary PHP code execution through the injected database content, potentially leading to full server compromise.

Advisories and references, including the OXID eSales bug tracker (ID 7002) and the project's GitHub repository, point to upgrading to version 6.3.4 or later as the primary mitigation. Additional resources detail the issue, such as archived blog posts from 2019 and a proof-of-concept exploit on Exploit-DB (ID 48527).

Publicly available exploit code on Exploit-DB confirms practical exploitability, with discussions dating back to 2019 via archived vulnerability reports.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the…

more

database and execute arbitrary code through crafted URLs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing e-commerce application directly enables remote unauthenticated exploitation for code execution (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Oxid Esales
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection in the 'sorting' parameter by requiring validation and sanitization of user inputs before database queries.

prevent

Ensures timely remediation of the specific SQL injection flaw through patching to OXID eShop 6.3.4 or later.

preventdetect

Boundary protection via web application firewalls can inspect and block crafted URLs exploiting the SQL injection in the sorting parameter.

References