Cyber Resilience

CVE-2019-25503

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 27.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25503 is a high-severity SQL Injection (CWE-89) vulnerability in Blondish Phpads. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2019-25503 is an SQL injection vulnerability (CWE-89) in PHPads 2.0, specifically in the click.php3 script. The flaw allows attackers to inject malicious SQL code through the bannerID parameter, leveraging SQL comment syntax and functions like extractvalue to execute arbitrary queries and extract sensitive database information, such as the current database name. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low complexity but requiring user interaction.

Unauthenticated attackers can exploit this over the network by submitting crafted bannerID values, potentially tricking users into interacting with malicious banners or links that trigger the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, allowing data exfiltration from the database without privileges, though it offers limited integrity modification and no availability disruption.

Exploits demonstrating the vulnerability, including proof-of-concept code, are publicly available on Exploit-DB at https://www.exploit-db.com/exploits/46798. A detailed advisory is provided by Vulncheck at https://www.vulncheck.com/advisories/phpads-sql-injection-via-clickphp-bannerid, though no specific patches or mitigations for PHPads 2.0 are detailed in the available references.

EU & UK References

Vulnerability details

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue…

more

to extract sensitive database information such as the current database name.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing PHP web app directly enables T1190 exploitation for initial access/data exfil; maps to T1213.006 for arbitrary DB query execution and sensitive data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

blondish
phpads
2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the bannerID input parameter in click.php3, directly blocking the SQL injection payload that uses comment syntax and extractvalue.

prevent

Enforces access-control policy on the publicly reachable click.php3 endpoint so that unauthenticated attackers cannot submit arbitrary bannerID values to the database.

detect

Monitors application and database traffic for anomalous SQL syntax or extractvalue usage originating from the bannerID parameter, enabling detection of exploitation attempts.

References