CVE-2019-9762
Description
A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHPSHE 1.7 suffers from an unauthenticated SQL injection in the alipay payment module's pay.php via the id parameter.
Vulnerability
PHPSHE 1.7 contains a SQL injection vulnerability in include/plugin/payment/alipay/pay.php. The id parameter is directly concatenated into SQL queries without sanitization, allowing attackers to inject arbitrary SQL statements. No authentication is required to exploit this flaw [1].
Exploitation
An attacker can send a crafted HTTP request to the vulnerable endpoint with a malicious id parameter. No prior authentication or special network position is needed. The injection occurs during the processing of the payment callback, making it accessible to any remote user [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the database. This can lead to unauthorized access to sensitive data, modification of database content, or complete compromise of the application's data integrity and confidentiality [1].
Mitigation
The issue was reported on the PHPSHE repository [1], but as of the publication date, no official patch has been released. Users should urgently sanitize the id parameter using parameterized queries or input validation. Consider upgrading to a newer version if available, or disabling the affected payment plugin as a temporary workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gitee.com/koyshe/phpshe/issues/ITC0Cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.