Cyber Resilience

CVE-2019-25442

HighPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25442 is a high-severity SQL Injection (CWE-89) vulnerability in Webwiz Web Wiz Forums. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25442 is an SQL injection vulnerability in Web Wiz Forums version 12.01, specifically affecting the member_profile.asp component. The flaw arises from insufficient input validation on the PF parameter, enabling attackers to inject arbitrary SQL code into database queries. Assigned CWE-89, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted GET requests to member_profile.asp with malicious values in the PF parameter. Successful exploitation allows manipulation of database queries, potentially leading to the extraction of sensitive information such as user credentials, forum data, or other database contents hosted by the application.

Advisories and references, including an Exploit-DB entry (https://www.exploit-db.com/exploits/47284) providing a proof-of-concept and a Vulncheck advisory (https://www.vulncheck.com/advisories/web-wiz-forums-sql-injection-via-pf-parameter), detail the injection technique but do not specify patches or vendor mitigations in the available information. Security practitioners should verify input sanitization in affected installations and consider upgrading or applying custom fixes to prevent exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database…

more

information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote SQL injection in a public-facing web app (member_profile.asp) matches T1190 exactly; enables DB data/credential extraction but no other Enterprise techniques are directly facilitated by the flaw itself.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

webwiz
web wiz forums
12.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the PF parameter to block SQL injection payloads before they reach database queries.

prevent

Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in member_profile.asp.

prevent

Enforces restrictions on information inputs at application boundaries to limit the size, format, or content of malicious PF parameter values used in SQL injection.

References