CVE-2019-25444
Published: 20 February 2026
Summary
CVE-2019-25444 is a high-severity SQL Injection (CWE-89) vulnerability in Phpscriptsmall Fiverr Clone Script. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25444 is an SQL injection vulnerability (CWE-89) affecting Fiverr Clone Script version 1.2.2. The issue resides in the handling of the "page" parameter, which fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting high severity due to its potential for critical impacts on confidentiality and integrity.
Unauthenticated remote attackers can exploit this vulnerability by supplying malicious SQL syntax in the page parameter, manipulating database queries without requiring privileges or user interaction. Exploitation enables extraction of sensitive database information, such as user credentials or other confidential data, as well as modification of database contents, potentially leading to data tampering or unauthorized access escalations.
Advisories and exploit details are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/46637) and Vulncheck (https://www.vulncheck.com/advisories/fiverr-clone-script-sql-injection-via-page-parameter), which outline the vulnerability and proof-of-concept exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19714
Vulnerability details
Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. Attackers can supply malicious SQL syntax in the page parameter to extract sensitive database information…
more
or modify database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQLi in public web app directly enables remote exploitation (T1190); facilitates DB data access (T1213.006) and stored data tampering (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user-supplied inputs like the page parameter to prevent SQL injection by rejecting or sanitizing malicious SQL code.
SI-9 restricts the page parameter to safe values such as integers, blocking arbitrary SQL injection attempts.
SI-2 mandates timely identification, reporting, and patching of flaws like this SQL injection vulnerability in Fiverr Clone Script 1.2.2.