Platform
php
Component
piluscart
Fixed in
1.4.2
CVE-2019-25672 describes a SQL injection vulnerability discovered in PilusCart, an e-commerce platform. This flaw allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code through the 'send' parameter within the comment submission endpoint. The vulnerability affects versions 1.4.1–1.4.1 and requires immediate attention to prevent data breaches.
Successful exploitation of CVE-2019-25672 could lead to a significant compromise of sensitive data stored within the PilusCart database. An attacker could extract user credentials (usernames, passwords, email addresses), customer order information, financial details, and potentially even administrative account information. This could result in identity theft, financial fraud, and reputational damage to the business using PilusCart. The ability to manipulate database queries also opens the door to further attacks, such as data modification or deletion, potentially disrupting business operations entirely. While the vulnerability requires unauthenticated access, the potential impact is substantial.
CVE-2019-25672 was published on 2026-04-05. While no public exploits have been widely reported, the ease of exploitation through RLIKE-based boolean SQL injection payloads suggests a potential for opportunistic attacks. The vulnerability's impact, combined with the relatively simple exploitation technique, makes it a target for automated scanning and exploitation tools. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25672 is to upgrade PilusCart to a patched version as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on the 'send' parameter are crucial; implement strict whitelisting of allowed characters and reject any input containing SQL keywords or special characters. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor PilusCart logs for suspicious activity, particularly requests to the comment submission endpoint with unusual parameters.
Update PilusCart to a patched version. Check the official PilusCart sources for information on available updates and follow the provided installation instructions. As an additional security measure, implement input validation and sanitization in all user interactions to prevent future SQL injections (SQL Injection).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25672 is a SQL injection vulnerability in PilusCart versions 1.4.1–1.4.1, allowing attackers to inject SQL code through the 'send' parameter to potentially extract sensitive data.
If you are using PilusCart version 1.4.1–1.4.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade PilusCart to a patched version. Until then, implement input validation and consider using a WAF.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Refer to the PilusCart website or security mailing lists for official advisories and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.