ImpressCMS 1.3.11 SQL Injection via bid Parameter

Description

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.

Affected Products

Vendor	Product	Versions
impresscms	impresscms	1.3.11

References

https://www.exploit-db.com/exploits/46239(exploit)
http://www.impresscms.org/(product)
https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip(product)
https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter(third-party-advisory)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2019-25703 | ImpressCMS 1.3.11 POST Request admin.php bid sql injection (Exploit 46239 / EDB-46239)

→ No new info (linked only)

CVSS 3.17.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-89

PublishedApr 12, 2026

Last enriched4h agov2

Trending Score50

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited

via VulDB

v16h ago

Initial creation