Platform
php
Component
ask-expert-script
Fixed in
3.0.6
CVE-2019-25676 describes a SQL Injection vulnerability discovered in Ask Expert Script, version 3.0.5. This vulnerability allows unauthenticated attackers to inject malicious SQL code by manipulating URL parameters, potentially leading to data breaches and system compromise. The vulnerability affects versions 3.0.5–3.0.5 and a fix is available via updated versions of the script.
The SQL Injection vulnerability in Ask Expert Script allows attackers to bypass authentication and directly interact with the underlying database. By injecting malicious SQL code through parameters like cateid in categorysearch.php or view in list-details.php, an attacker could extract sensitive data such as user credentials, product information, or order details. Successful exploitation could also allow an attacker to modify or delete data, potentially disrupting the application's functionality or causing data loss. While no specific real-world exploitation has been publicly reported, the ease of exploitation and potential impact make this a significant risk.
CVE-2019-25676 was published on 2026-04-05. There is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively easy to exploit, increasing the likelihood of future exploitation if left unpatched. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25676 is to upgrade to a patched version of Ask Expert Script. If upgrading immediately is not possible, consider implementing input validation and sanitization on the cateid and view parameters to prevent malicious SQL code from being executed. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide a temporary layer of protection. Review and restrict database user permissions to limit the potential damage from a successful injection.
Actualice a una versión corregida del script Ask Expert. Verifique el sitio web del proveedor o los foros de soporte para obtener información sobre las actualizaciones disponibles. Como no se proporciona una versión corregida, considere deshabilitar o eliminar el script hasta que se publique una actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25676 is a SQL Injection vulnerability affecting Ask Expert Script versions 3.0.5–3.0.5, allowing attackers to inject malicious SQL code via URL parameters.
If you are using Ask Expert Script version 3.0.5–3.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Ask Expert Script. If immediate upgrade is not possible, implement input validation and sanitization on vulnerable parameters.
There is no public evidence of CVE-2019-25676 being actively exploited, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the vendor's website or security advisories for the latest information and updates regarding CVE-2019-25676.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.