Cyber Posture

CVE-2019-25639

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0013 32.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Attackers can inject malicious SQL payloads into parameters like txtGender, religion, Fage, and cboCountry across…

more

simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php to extract sensitive database information or execute arbitrary SQL commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of all information inputs, directly preventing SQL injection via untrusted POST parameters like txtGender and religion in vulnerable PHP files.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of flaws like the SQL injection vulnerabilities in the Matrimony Website Script M-Plus.

SC-7 Boundary Protection partial match
prevent

Enforces boundary protection through inspection of communications at web application interfaces to block SQL injection payloads from reaching vulnerable endpoints.

Security SummaryAI

CVE-2019-25639 is a set of multiple SQL injection vulnerabilities (CWE-89) in the Matrimony Website Script M-Plus. The flaws affect several PHP files, including simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php. Attackers can inject malicious SQL payloads through POST parameters such as txtGender, religion, Fage, and cboCountry, enabling manipulation of database queries.

Unauthenticated remote attackers can exploit these vulnerabilities with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation allows extraction of sensitive database information or execution of arbitrary SQL commands, potentially compromising user data like personal details in a matrimony site's database.

Advisories and related resources, including an exploit proof-of-concept at https://www.exploit-db.com/exploits/46591, the vendor site at https://www.matri4web.com, and a Vulncheck advisory at https://www.vulncheck.com/advisories/matrimony-website-script-m-plus-multiple-sql-injection, provide further details on the issues.

A public exploit is available on Exploit-DB, highlighting the risk of real-world abuse against unpatched instances of this matrimony script.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerabilities in a public-facing web application directly enable exploitation of public-facing applications (T1190) and facilitate collection of data from databases via arbitrary SQL queries (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References