CVE-2019-25642

Vulnerability

Bootstrapy CMS contains multiple SQL injection vulnerabilities in its forum and contact modules. The application fails to sanitize user-supplied input passed via POST parameters, allowing unauthenticated attackers to inject arbitrary SQL queries. The affected parameters include thread_id in forum-thread.php, subject in contact-submit.php, post-id in post-new-submit.php, and thread-id in post-new-submit.php [1][2].

Exploitation

An attacker can exploit these vulnerabilities by sending crafted POST requests to the vulnerable endpoints. No authentication is required. For example, injecting 'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z into the thread_id parameter of forum-thread.php triggers a time-based SQL injection that indicates successful injection [1]. Similar patterns apply to the other parameters.

Impact

Successful exploitation allows attackers to extract sensitive database information (such as user credentials or application data) or cause a denial of service by executing resource-intensive queries. The CVSS v3 score of 8.2 (High) reflects the potential for information disclosure and service disruption.

Mitigation

The vendor has not released a patch, and the project appears to be inactive. As a workaround, administrators should restrict access to the vulnerable modules or implement input validation and parameterized queries. The vulnerability is publicly exploit-ready, and proof-of-concept code is available [1][2].