Description
XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Key detail from vendor description: "XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter." Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information. The vulnerability is classified under CWE-89 (SQL Injection) and carries a CVSS score of 8.8, indicating high severity and the potential for significant confidentiality loss.

Affected Systems

Known affected vendor/product: Xooscripts XooDigital (source: CNAs vendor list). No specific version information is supplied, so all installations of XooDigital may be vulnerable unless a later patch has been applied.

Risk and Exploitability

Key detail from scores: EPSS Score < 1% suggests low current exploit probability, and the vulnerability is not listed in CISA’s KEV catalog, indicating no widely known exploitation. Based on the description, the likely attack vector is remote via HTTP access to results.php and requires no authentication. The high CVSS score, combined with the possibility of data exfiltration, results in significant risk to affected systems.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch for XooDigital when it becomes available.
  • If a patch cannot be applied immediately, restrict direct access to results.php using web‑server access controls (e.g., IP filtering or authentication barriers).
  • Monitor web logs for anomalous GET requests containing the 'p' parameter and investigate any unusual activity.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xooscripts
Xooscripts xoodigital
Vendors & Products Xooscripts
Xooscripts xoodigital

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information.
Title XooDigital Lastest Latest SQL Injection via results.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xooscripts Xoodigital
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:26:55.408Z

Reserved: 2026-03-12T13:44:40.944Z

Link: CVE-2019-25509

cve-icon Vulnrichment

Updated: 2026-03-12T16:26:50.935Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T16:16:02.983

Modified: 2026-04-15T14:56:45.970

Link: CVE-2019-25509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:32Z

Weaknesses