CVE-2019-25442
Published: 22 February 2026
Summary
CVE-2019-25442 is a high-severity SQL Injection (CWE-89) vulnerability in Webwiz Web Wiz Forums. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25442 is an SQL injection vulnerability in Web Wiz Forums version 12.01, specifically affecting the member_profile.asp component. The flaw arises from insufficient input validation on the PF parameter, enabling attackers to inject arbitrary SQL code into database queries. Assigned CWE-89, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for privileges or user interaction.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted GET requests to member_profile.asp with malicious values in the PF parameter. Successful exploitation allows manipulation of database queries, potentially leading to the extraction of sensitive information such as user credentials, forum data, or other database contents hosted by the application.
Advisories and references, including an Exploit-DB entry (https://www.exploit-db.com/exploits/47284) providing a proof-of-concept and a Vulncheck advisory (https://www.vulncheck.com/advisories/web-wiz-forums-sql-injection-via-pf-parameter), detail the injection technique but do not specify patches or vendor mitigations in the available information. Security practitioners should verify input sanitization in affected installations and consider upgrading or applying custom fixes to prevent exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19605
Vulnerability details
Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database…
more
information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in a public-facing web app (member_profile.asp) matches T1190 exactly; enables DB data/credential extraction but no other Enterprise techniques are directly facilitated by the flaw itself.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the PF parameter to block SQL injection payloads before they reach database queries.
Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in member_profile.asp.
Enforces restrictions on information inputs at application boundaries to limit the size, format, or content of malicious PF parameter values used in SQL injection.