CVE-2019-25521
Received Received - Intake

SQL Injection in XooGallery gal.php Allows Data Manipulation

Vulnerability report for CVE-2019-25521, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-12

Last updated on: 2026-03-23

Assigner: VulnCheck

Description

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. Attackers can send GET requests to gal.php with malicious gal_id values to extract sensitive database information or modify database contents.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-12
Last Modified
2026-03-23
Generated
2026-07-06
AI Q&A
2026-03-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xooscripts xoogallery *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2019-25521 is a high-severity SQL injection vulnerability affecting XooGallery Latest versions. It exists in the gal.php script via the gal_id parameter, which is not properly sanitized. This flaw allows unauthenticated attackers to inject malicious SQL code by sending crafted GET requests with manipulated gal_id values.

Exploitation of this vulnerability enables attackers to manipulate database queries, potentially extracting sensitive information or modifying database contents.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including unauthorized access to sensitive database information and unauthorized modification of database contents.'}, {'type': 'paragraph', 'content': "Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant risk to the confidentiality and integrity of the affected system's data."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted GET requests to the gal.php script with manipulated gal_id parameter values and observing the responses for signs of SQL injection.'}, {'type': 'paragraph', 'content': 'Example commands to test for the vulnerability include using curl or similar tools to send requests with SQL injection payloads such as:'}, {'type': 'list_item', 'content': 'curl "http://target-site/gal.php?gal_id=29\' AND 2692=2692 AND \'WCFf\'=\'WCFf"'}, {'type': 'list_item', 'content': 'curl "http://target-site/gal.php?gal_id=29\' OR \'1\'=\'1"'}, {'type': 'paragraph', 'content': 'If the response indicates database errors or returns unexpected data, it suggests the presence of the SQL injection vulnerability.'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Apply input validation and sanitization on the gal_id parameter to prevent SQL injection.
  • Use prepared statements or parameterized queries in the gal.php script to safely handle user input.
  • Restrict access to the vulnerable script if possible until a patch or fix is applied.
  • Monitor web server logs for suspicious requests targeting gal.php with unusual gal_id values.

Additionally, check for updates or patches from the vendor and apply them as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart