Platform
php
Component
web-ofisi-emlak
Fixed in
2.0.1
CVE-2019-25459 describes multiple SQL injection vulnerabilities present in Web Ofisi Emlak V2, a PHP-based real estate management system. These vulnerabilities allow unauthenticated attackers to directly manipulate database queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions 2.0.0–V2, and a fix is available in version 2.5.4.
An attacker exploiting CVE-2019-25459 can gain unauthorized access to sensitive data stored within the Web Ofisi Emlak database. By injecting malicious SQL code into GET parameters such as emlakdurumu, emlaktipi, il, ilce, kelime, and semt, an attacker can extract user credentials, property details, financial information, and other confidential data. The time-based blind SQL injection technique allows attackers to bypass input validation and extract data even without direct error messages. Successful exploitation could lead to complete database compromise and potentially allow an attacker to modify or delete data, disrupting the real estate management system’s functionality.
CVE-2019-25459 was published on 2026-02-22. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation make it a high-priority vulnerability. The lack of a KEV listing suggests no confirmed exploitation, but the vulnerability's nature warrants ongoing monitoring. Public proof-of-concept exploits are likely to emerge given the vulnerability's simplicity.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25459 is to immediately upgrade Web Ofisi Emlak to version 2.5.4 or later. If upgrading is not immediately feasible, implement strict input validation and sanitization on all GET parameters to prevent SQL injection attacks. Consider using a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious requests. Regularly review database access logs for suspicious activity and implement the principle of least privilege for database users. After upgrading, confirm the fix by attempting to inject SQL code into the vulnerable GET parameters and verifying that the requests are properly sanitized and do not result in database errors.
Update the Emlak script to version 2.5.4 or higher to mitigate the (SQL Injection) vulnerability. Ensure you apply the latest security updates provided by Web-ofisi to protect your application against potential attacks. Review and sanitize user input in GET parameters to prevent (SQL) code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25459 is a critical SQL injection vulnerability in Web Ofisi Emlak V2 (2.0.0–V2) allowing attackers to manipulate database queries via GET parameters.
If you are using Web Ofisi Emlak V2 (2.0.0–V2), you are potentially affected and should upgrade immediately.
Upgrade to version 2.5.4 or later. Implement input validation and consider using a WAF as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority risk.
Refer to the Web Ofisi security advisories for the latest information and updates regarding CVE-2019-25459.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.