CVE-2019-25495

HighPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0014 33.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to…

extract sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of inputs like the reviews_id parameter to reject malicious SQL payloads before they are incorporated into database queries.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws such as the SQL injection vulnerability in product_reviews_write.php, preventing exploitation through patching.

SI-9 Information Input Restrictions good match

prevent

SI-9 enforces restrictions on information inputs like reviews_id to only permitted values (e.g., integers), blocking SQL injection attempts.

Security SummaryAI

CVE-2019-25495 is a SQL injection vulnerability (CWE-89) affecting osCommerce version 2.3.4.1. The issue exists in the product_reviews_write.php script, where the reviews_id parameter fails to properly sanitize input, enabling attackers to inject malicious SQL code into database queries.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no privileges, and no user interaction required (CVSS:3.1 score of 8.2; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). By crafting GET requests to product_reviews_write.php with boolean-based SQL injection payloads in the reviews_id parameter, attackers can manipulate queries to extract sensitive database information.

Advisories and additional details are available from VulnCheck at https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-reviewsid-parameter, the osCommerce website at https://www.oscommerce.com, and a public exploit at https://www.exploit-db.com/exploits/46330.

Details

CWE(s): CWE-89

Affected Products

oscommerce

2.3.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE-2019-25495 is a SQL injection in a public-facing web application (osCommerce), directly enabling T1190 (Exploit Public-Facing Application). It facilitates arbitrary database queries for sensitive data extraction, mapping to T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46330
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.oscommerce.com
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-reviewsid-parameter
Broken Link · disclosure@vulncheck.com