CVE-2019-25455

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0015 34.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25455 is a high-severity SQL Injection (CWE-89) vulnerability in Web-Ofisi E-Ticaret. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SI-10 Information Input Validation

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

NVD Description

Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database…

information.

Deeper analysisAI

CVE-2019-25455 is an SQL injection vulnerability (CWE-89) affecting Web Ofisi E-Ticaret v3. The flaw allows unauthenticated attackers to inject SQL code through the 'a' parameter, enabling manipulation of database queries. Attackers can send GET requests with malicious 'a' parameter values to extract sensitive database information. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility, low attack complexity, no privileges required, and high confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability without user interaction. By crafting GET requests with specially injected SQL payloads in the 'a' parameter, they can achieve unauthorized extraction of sensitive data from the underlying database, such as user credentials, orders, or other business information hosted by the e-commerce platform.

Advisories referenced in the CVE include an Exploit-DB entry (47139) demonstrating a working exploit, a VulnCheck advisory detailing the SQL injection via ara.html, and a vendor product page for E-Ticaret v3 sanal POS. No specific patches or mitigation steps are detailed in the provided CVE information.