CVE-2019-25391
Published: 22 February 2026
Summary
CVE-2019-25391 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25391 is a time-based blind SQL injection vulnerability (CWE-89) affecting Ashop Shopping Cart Software, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). The issue arises in the admin/bannedcustomers.php endpoint, where the blacklistitemid parameter is vulnerable to manipulation, allowing attackers to inject crafted SQL payloads via POST requests.
Remote, unauthenticated attackers can exploit this vulnerability without user interaction by sending POST requests containing SQL payloads that incorporate SLEEP functions. Successful exploitation enables time-based blind SQL injection attacks, permitting the extraction of sensitive database information and resulting in high confidentiality impact alongside low integrity impact.
Advisories and references, including those from VulnCheck and a proof-of-concept exploit on Exploit-DB (46681), detail the vulnerability in Ashop Shopping Cart Software's bannedcustomers.php endpoint but do not specify patches or mitigations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19600
Vulnerability details
Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract…
more
sensitive database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via unauthenticated SQL injection on the admin endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the blacklistitemid parameter in admin/bannedcustomers.php to block time-based blind SQL injection payloads using SLEEP functions.
Remediates the specific SQL injection flaw in the admin/bannedcustomers.php endpoint handling of the blacklistitemid parameter.
Enforces boundary protection at web interfaces to detect and block crafted POST requests exploiting the SQL injection in admin/bannedcustomers.php.