CVE-2019-25503
Published: 04 March 2026
Summary
CVE-2019-25503 is a high-severity SQL Injection (CWE-89) vulnerability in Blondish Phpads. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2019-25503 is an SQL injection vulnerability (CWE-89) in PHPads 2.0, specifically in the click.php3 script. The flaw allows attackers to inject malicious SQL code through the bannerID parameter, leveraging SQL comment syntax and functions like extractvalue to execute arbitrary queries and extract sensitive database information, such as the current database name. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low complexity but requiring user interaction.
Unauthenticated attackers can exploit this over the network by submitting crafted bannerID values, potentially tricking users into interacting with malicious banners or links that trigger the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, allowing data exfiltration from the database without privileges, though it offers limited integrity modification and no availability disruption.
Exploits demonstrating the vulnerability, including proof-of-concept code, are publicly available on Exploit-DB at https://www.exploit-db.com/exploits/46798. A detailed advisory is provided by Vulncheck at https://www.vulncheck.com/advisories/phpads-sql-injection-via-clickphp-bannerid, though no specific patches or mitigations for PHPads 2.0 are detailed in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19729
Vulnerability details
PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue…
more
to extract sensitive database information such as the current database name.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing PHP web app directly enables T1190 exploitation for initial access/data exfil; maps to T1213.006 for arbitrary DB query execution and sensitive data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the bannerID input parameter in click.php3, directly blocking the SQL injection payload that uses comment syntax and extractvalue.
Enforces access-control policy on the publicly reachable click.php3 endpoint so that unauthenticated attackers cannot submit arbitrary bannerID values to the database.
Monitors application and database traffic for anomalous SQL syntax or extractvalue usage originating from the bannerID parameter, enabling detection of exploitation attempts.