CVE-2019-25730
Deferred Deferred - Pending Action
SQL Injection in Listing Hub CMS

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulnCheck

Description
Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to extract database credentials, usernames, and version information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2019-25730
EUVD
EUVD-2019-20166
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
listing_hub cms 1.0
themerig listings_directory_cms_directory_php_script to 1.0 (inc)
themerig listings_directory_cms_directory_php_script to 1.1 (inc)
themerig listings_directory_cms_directory_php_script 1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in Listing Hub CMS 1.0 allows unauthenticated attackers to extract sensitive database information such as credentials and usernames. This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to access confidential data through SQL injection, the vulnerability increases the risk of data breaches, which can result in regulatory penalties and damage to organizational reputation.

Executive Summary

Listing Hub CMS version 1.0 contains a SQL injection vulnerability in the 'pages.php' file, specifically in the 'id' parameter. This flaw allows unauthenticated attackers to inject malicious SQL code by sending crafted GET requests. Using error-based SQL injection techniques, attackers can cause database errors that reveal sensitive information such as database credentials, usernames, and version details.

Impact Analysis

This vulnerability can have serious impacts as it allows attackers to execute arbitrary SQL queries without authentication. Exploiting this flaw can lead to unauthorized disclosure of sensitive database information including credentials and user data. This can compromise the integrity and confidentiality of the affected system's data, potentially leading to further attacks or data breaches.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the vulnerable endpoint pages.php with malicious SQL injection payloads in the id parameter. Error-based SQL injection techniques trigger database errors that reveal sensitive information such as database credentials, usernames, and version details.

A typical detection method involves using curl or similar HTTP clients to send requests with SQL injection payloads and observing the response for database error messages.

  • curl "http://target-site/pages.php?id=1'"
  • curl "http://target-site/pages.php?id=1' AND 1=1--"
  • curl "http://target-site/pages.php?id=1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -"

If the response contains database errors or reveals database names, usernames, or version information, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include applying patches or updates that fix the vulnerability. For Listing Hub CMS, upgrading to version 1.2 or later addresses this issue.

If an update is not immediately available, consider implementing input validation and sanitization on the id parameter to prevent SQL injection.

Additionally, restricting access to the vulnerable pages.php endpoint through web application firewalls (WAF) or network-level controls can help reduce exposure.

Monitoring and logging suspicious requests targeting the id parameter can also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart