Description
SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-03-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection that allows arbitrary query execution
Action: Immediate Patch
AI Analysis

Impact

This weakness sits in the SimplePress CMS 1.0.7 code path that processes the 'p' and 's' URL parameters without proper validation, enabling attackers to embed SQL fragments in GET requests. The vulnerability is a classic injection flaw (CWE‑89), and the official description states that through crafted payloads an unauthenticated user can execute any SQL statement against the backend database. Such manipulation can read or modify sensitive data, including usernames, database names, and version details, and potentially lead to full compromise of the hosting system if the database grants higher privileges.

Affected Systems

The product affected is SimplePress CMS version 1.0.7, distributed by Sourceforge. No additional sub‑components or earlier versions are named in the report, making this single build the sole known vulnerable configuration.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. Because the flaw can be triggered via a simple HTTP GET request without any authentication, the attack vector is remote and open to any network user. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog, but the existence of an exploitation proof in exploit‑db suggests real-world risk. An attacker who succeeds can read or modify database content, and if the database credentials are elevated, the compromise could extend to the underlying operating system.

Generated by OpenCVE AI on March 21, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install a newer version of SimplePress CMS from the vendor’s official sourceforge project page, ensuring the release includes the SQL injection fix (versions 1.0.8 and later).
  • If an upgrade cannot be performed immediately, restrict access to the web interface that exposes the 'p' and 's' parameters by applying firewall or web‑application WAF rules to limit traffic to trusted IP addresses.
  • Verify the database credentials used by the CMS and consider rotating them after remediation to mitigate any residual exposure.

Generated by OpenCVE AI on March 21, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Simplepresscms
Simplepresscms simplepress Cms
CPEs cpe:2.3:a:simplepresscms:simplepress_cms:*:*:*:*:*:*:*:*
Vendors & Products Simplepresscms
Simplepresscms simplepress Cms

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourceforge
Sourceforge simplepress Cms
Vendors & Products Sourceforge
Sourceforge simplepress Cms

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title SimplePress CMS 1.0.7 SQL Injection via p and s Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Simplepresscms Simplepress Cms
Sourceforge Simplepress Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T20:03:27.725Z

Reserved: 2026-03-21T15:23:49.617Z

Link: CVE-2019-25575

cve-icon Vulnrichment

Updated: 2026-03-23T20:03:19.377Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T16:16:01.147

Modified: 2026-04-15T17:09:48.490

Link: CVE-2019-25575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:08Z

Weaknesses