CVE-2019-25578

Received Received - Intake

SQL Injection in phpTransformer GeneratePDF.php Allows Data Extraction

Publication date: 2026-03-21

Last updated on: 2026-03-26

Assigner: VulnCheck

Description

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-21

Last Modified

2026-03-26

Generated

2026-06-16

AI Q&A

2026-03-21

EPSS Evaluated

2026-06-14

NVD

CVE-2019-25578

EUVD

EUVD-2019-19901

Affected Vendors & Products

Vendor	Product	Version / Range
codnloc	phptransformer	2016.9

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-22	The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

Executive Summary

The vulnerability in phpTransformer 2016.9 is an SQL injection flaw located in the GeneratePDF.php script. It occurs because the idnews parameter in GET requests is not properly sanitized or parameterized before being used in SQL queries. This allows remote attackers to inject malicious SQL code through the idnews parameter.

By sending specially crafted GET requests with SQL payloads in the idnews parameter, attackers can execute arbitrary SQL queries on the backend database.

This can lead to unauthorized extraction of sensitive database information or manipulation of database operations.

Impact Analysis

This SQL injection vulnerability can have serious impacts including unauthorized access to sensitive data stored in the database.

Attackers can manipulate SQL queries to extract confidential information or alter database contents.

The vulnerability has a high severity score (CVSS v4 base score of 8.8), indicating it can be exploited remotely without any privileges or user interaction.

Potential impacts include data breaches, loss of data integrity, and exposure of sensitive information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted GET requests to the GeneratePDF.php script with SQL injection payloads in the idnews parameter and observing the response behavior.'}, {'type': 'paragraph', 'content': 'For example, a time-based blind SQL injection test can be performed by injecting a payload that causes a delay in the database response, such as:'}, {'type': 'list_item', 'content': "idnews=20190000000' AND SLEEP(5)-- -"}, {'type': 'paragraph', 'content': 'If the response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability.'}, {'type': 'paragraph', 'content': 'You can use command-line tools like curl to test this, for example:'}, {'type': 'list_item', 'content': 'curl "http://[target]/GeneratePDF.php?idnews=20190000000\' AND SLEEP(5)-- -"'}, {'type': 'paragraph', 'content': 'Monitoring the response time for such requests can help detect the vulnerability on your system.'}] [3]

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2019-25578. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25578

SQL Injection in phpTransformer GeneratePDF.php Allows Data Extraction

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart