CVE-2019-25260
OXID eShop 6.3.4 - 'sorting' SQL Injection
CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.
| CWE | CWE-89 |
| Vendor | oxid-esales |
| Product | oxid eshop |
| Published | Feb 3, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for oxid-esales oxid eshop
Be the first to know when new high vulnerabilities affecting oxid-esales oxid eshop are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
OXID-eSales / OXID eShop
Versions 6.x (prior to 6.3.4)
References
exploit-db.com: https://www.exploit-db.com/exploits/48527 oxid-esales.com: https://www.oxid-esales.com/ github.com: https://github.com/OXID-eSales/oxideshop_ce web.archive.org: https://web.archive.org/web/20201020223434/https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/ web.archive.org: https://web.archive.org/web/20190731211638/https://blog.ripstech.com/2019/oxid-esales-shop-software/ bugs.oxid-esales.com: https://bugs.oxid-esales.com/view.php?id=7002 vulncheck.com: https://www.vulncheck.com/advisories/oxid-eshop-sorting-sql-injection
Credits
VulnSpy