CVE-2019-25529

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability in the admin/edit.php endpoint. The page GET parameter is not properly sanitized, allowing authenticated attackers to inject arbitrary SQL commands [1][3][4]. The CMS is a lightweight PHP-based system, but this alpha version lacks essential input validation.

Exploitation requires an authenticated session. Attackers can use boolean-based blind, time-based blind, or union-based SQL injection techniques via the page parameter [3]. The exploit proof-of-concept demonstrates sending crafted requests such as page=JyI" AND 1647=1647 AND "svwN"="svwN for boolean-based detection, or using UNION ALL SELECT to extract data [3].

Successful exploitation allows attackers to retrieve sensitive information from the database, including usernames, passwords, and other application data [4]. The impact is significant given the CMS handles content management and user accounts.

No official patch has been released; the project appears to be in alpha stage and may be unmaintained. Users should consider migrating to a supported CMS or implementing web application firewall rules to mitigate the risk [1][4].