CVE-2019-25703
ImpressCMS 1.3.11 SQL Injection via bid Parameter
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.1EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
12 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Impresscms · ImpressCMSpublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/46239unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →