HIGH 8.2

CVE-2019-25730: SQL Injection in Listing Hub CMS 1.0 – High-Risk Unauthenticated Database Access

Listing Hub CMS version 1.0 contains a SQL injection flaw that allows attackers without credentials to run arbitrary database commands. By sending specially crafted requests to the pages.php file with malicious values in the id parameter, attackers can extract sensitive information such as database credentials and system version details. The vulnerability requires no authentication or user interaction, making it a straightforward attack vector for anyone with network access to the affected application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to extract database credentials, usernames, and version information.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25730 is a SQL injection vulnerability (CWE-89) in Listing Hub CMS 1.0 affecting the pages.php endpoint. The vulnerability exists because the id parameter is not properly sanitized before being used in SQL queries. Attackers can inject malicious SQL syntax using error-based injection techniques to craft queries that leak database structure, credentials, and configuration data. The attack is delivered via GET request and requires no prior authentication or special privileges. The CVSS 3.1 score of 8.2 (HIGH) reflects high confidentiality impact and limited integrity impact, with network-based exploitability and low attack complexity.

Business impact

A successful exploitation of this vulnerability could result in unauthorized access to sensitive database contents, including customer records, administrative credentials, and system configuration details. This exposes the organization to credential compromise, data breach liability, and potential lateral movement within the infrastructure. For public-facing Listing Hub CMS instances, this represents a direct pathway to information disclosure without authentication barriers, potentially affecting customer trust and regulatory compliance (GDPR, CCPA, etc.) if personally identifiable information is exposed.

Affected systems

Listing Hub CMS version 1.0 is the confirmed affected product. Organizations running this CMS version in production environments—whether on-premises or cloud-hosted—are at risk. The vulnerability is platform-agnostic at the CMS level, though it may be subject to underlying database and web server configurations. Verify your Listing Hub CMS version through administrative panels or file system inspection (typically found in version configuration files or the application root).

Exploitability

This vulnerability is highly exploitable. It requires only network connectivity to the target application and can be triggered via simple HTTP GET requests, making it accessible to attackers with minimal technical skill. No authentication is necessary, no user interaction is required, and attack complexity is low. Error-based SQL injection allows attackers to infer database structure and extract data through carefully crafted payloads that generate observable database error messages. The straightforward nature of the attack vector and the lack of access controls make this vulnerability suitable for automated scanning and opportunistic exploitation.

Remediation

Upgrade Listing Hub CMS to a patched version released after the vulnerability publication date (June 4, 2026); verify the availability of security updates from the vendor. If an immediate patch is unavailable, implement input validation and parameterized queries (prepared statements) in the pages.php file to prevent SQL injection. Additionally, apply Web Application Firewall (WAF) rules to detect and block suspicious SQL syntax in the id parameter, restrict database user permissions to least-privilege principles, and disable database error messages visible to end users. Monitor access logs for signs of injection attempts.

Patch guidance

Check the official Listing Hub CMS vendor advisory and security bulletin for patched version availability and release dates. Update to the latest stable release that addresses CVE-2019-25730. Before deploying patches, test in a non-production environment to ensure compatibility with existing customizations and plugins. If the vendor has not released a patch, escalate to the vendor for security support and interim compensating controls. Document all patching activities for audit and compliance purposes.

Detection guidance

Monitor web application logs for GET requests to pages.php containing SQL keywords or encoded SQL syntax in the id parameter (e.g., single quotes, UNION, SELECT, OR 1=1, error-inducing characters). Deploy WAF signatures or IDS/IPS rules targeting SQL injection patterns in URL parameters. Review database error logs for suspicious query patterns or unexpected access attempts. Conduct a baseline scan of your Listing Hub CMS instance using vulnerability scanners configured for SQL injection detection. Check for any unauthorized database queries or unexpected credential use in database audit logs if available.

Why prioritize this

This vulnerability merits urgent priority due to its high CVSS score (8.2), unauthenticated exploitability, and direct access to sensitive database information. The low attack complexity and network-based attack vector mean that exploitation can occur at scale through automated tools. The lack of any authentication requirement and the high confidentiality impact make this an attractive target for both opportunistic and targeted attacks. Organizations should treat this as a critical security issue and allocate resources accordingly.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects: (1) Network-based attack vector (AV:N) accessible to any remote attacker; (2) Low attack complexity (AC:L) requiring minimal technical skill; (3) No privilege requirements (PR:N) and no user interaction (UI:N); (4) High confidentiality impact (C:H) enabling extraction of sensitive database data; (5) Limited integrity impact (I:L) as the vulnerability permits some data modification but is primarily exploited for information disclosure; (6) No availability impact (A:N) as the attack does not directly disrupt service. The overall score reflects a serious but not catastrophic threat in standard operating environments.

Frequently asked questions

Can this vulnerability be exploited if the application is behind a firewall or VPN?

If the firewall or VPN restricts access to the application only to authorized users, it does add a layer of protection. However, if the application is internet-facing or accessible from any network, the vulnerability remains exploitable. Additionally, firewall rules alone do not mitigate the underlying SQL injection flaw—only proper code remediation and WAF protections can do that.

Does updating the database password mitigate this vulnerability?

Changing the database password is a temporary defensive measure but not a fix. An attacker can still exploit the SQL injection vulnerability to discover the new password, escalate privileges, or extract other sensitive data. Password changes should be combined with immediate patching or input validation fixes to be effective.

What data can attackers extract using this vulnerability?

Using error-based SQL injection, attackers can extract database credentials, user account information (usernames, email addresses), version information about the database and application, table structures, and potentially customer data depending on what is stored in the database and the database user's permissions. The exact scope depends on the database contents and access levels.

Is this vulnerability actively being exploited in the wild?

This vulnerability was not added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update, suggesting no confirmed widespread active exploitation at the time of publication. However, the ease of exploitation and high impact make it attractive to attackers, and exploitation could occur at any time. Do not delay patching based on KEV status.

This analysis is provided for informational purposes and is based on publicly available vulnerability data as of the publication and modification dates indicated. SEC.co makes no warranty regarding the completeness or accuracy of this information. Organizations should independently verify all patch version numbers, vendor advisories, and technical details against official vendor communications before implementing mitigations. Testing should be conducted in non-production environments. This vulnerability intelligence does not constitute legal advice or a guarantee of security. Consult official vendor security bulletins and your internal security team for definitive guidance on your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).