CVE-2019-25703
published 2026-04-12CVE-2019-25703: ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
26.0th percentile
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| impresscms | impresscms | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ImpressCMS 1.3.11 POST Request admin.php bid sql injection (Exploit 46239 / EDB-46239)
vuldb·2026-04-12·CVSS 7.1
CVE-2019-25703 [HIGH] ImpressCMS 1.3.11 POST Request admin.php bid sql injection (Exploit 46239 / EDB-46239)
A vulnerability labeled as critical has been found in ImpressCMS 1.3.11. Impacted is an unknown function of the file admin.php of the component POST Request Handler. Executing a manipulation of the argument bid can lead to sql injection.
This vulnerability is registered as CVE-2019-25703. It is possible to launch the attack remotely. Furthermore, an exploit is available.
GHSA
GHSA-27c4-766g-945p: ImpressCMS 1
ghsa_unreviewed·2026-04-12
CVE-2019-25703 [HIGH] CWE-89 GHSA-27c4-766g-945p: ImpressCMS 1
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-12
Published