CVE-2019-25638

Vulnerability

Overview

Meeplace Business Review Script contains an SQL injection vulnerability in the addclick.php endpoint. The id parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. This is a classic CWE-89 vulnerability [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to the addclick.php script with a malicious payload in the id parameter. No authentication is required, and the attack can be performed remotely over the network. A proof-of-concept payload uses a time-based blind SQL injection technique with SLEEP() to confirm the vulnerability [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database. This can lead to extraction of sensitive information (such as user credentials or business data) or cause a denial of service by disrupting database operations. The CVSS v3.1 score is 7.1 (High), with the vector indicating high confidentiality impact and low integrity impact [1]. /a].

Mitigation

As of the publication date, no official patch has been confirmed. Users should apply input validation and parameterized queries to the id parameter in addclick.php. The vendor website (meeplace.com) may provide updates; if the product is end-of-life, migration to an alternative solution is recommended [1][2].