ImpressCMS 1.3.11 SQL Injection via bid Parameter

Description

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.

Affected Products

Vendor	Product	Versions
impresscms	impresscms	1.3.11

References

https://www.exploit-db.com/exploits/46239(exploit)
http://www.impresscms.org/(product)
https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip(product)
https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter(third-party-advisory)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2019-25703 | ImpressCMS 1.3.11 POST Request admin.php bid sql injection (Exploit 46239 / EDB-46239)

→ No new info (linked only)

CVSS 3.17.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-89

PublishedApr 12, 2026

Last enriched2h agov2

Trending Score51

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited

via VulDB

v13h ago

Initial creation