CVE-2019-25522
Received Received - Intake
SQL Injection in XooGallery photo.php Allows Data Manipulation

Publication date: 2026-03-12

Last updated on: 2026-03-23

Assigner: VulnCheck

Description
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication, or modify database contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25522
EUVD
EUVD-2019-19804
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xooscripts xoogallery *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2019-25522 affects XooGallery Latest and involves multiple SQL injection vulnerabilities in the photo.php script.'}, {'type': 'paragraph', 'content': 'These vulnerabilities allow unauthenticated attackers to manipulate SQL queries by injecting malicious SQL code through the "photo_id" parameter in GET requests.'}, {'type': 'paragraph', 'content': 'Exploiting this flaw enables attackers to extract sensitive data, bypass authentication mechanisms, or modify database contents.'}] [1]

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data, bypassing authentication controls, and unauthorized modification of database contents.

Because attackers do not need to be authenticated to exploit this flaw, it increases the risk of data breaches and potential loss of data integrity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted GET requests to the photo.php script with malicious values in the photo_id parameter to test for SQL injection.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send requests and observe if the application returns database errors or unexpected data.'}, {'type': 'list_item', 'content': 'curl "http://targetsite/photo.php?photo_id=1\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'curl "http://targetsite/photo.php?photo_id=1 UNION SELECT null, version(), null-- "'}, {'type': 'paragraph', 'content': 'If the responses contain database errors or reveal database version or other sensitive data, it indicates the presence of the SQL injection vulnerability.'}] [1]

Mitigation Strategies

Immediate mitigation steps include applying input validation and sanitization on the photo_id parameter to prevent SQL injection.

Additionally, updating XooGallery Latest to a version where this vulnerability is fixed is recommended.

If patching is not immediately possible, consider implementing a Web Application Firewall (WAF) to block malicious requests targeting the photo_id parameter.

Restricting direct access to photo.php or limiting GET requests with suspicious parameters can also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart