CVE-2019-25639
Published: 24 March 2026
Summary
CVE-2019-25639 is a high-severity SQL Injection (CWE-89) vulnerability in Matri4Web (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25639 is a set of multiple SQL injection vulnerabilities (CWE-89) in the Matrimony Website Script M-Plus. The flaws affect several PHP files, including simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php. Attackers can inject malicious SQL payloads through POST parameters such as txtGender, religion, Fage, and cboCountry, enabling manipulation of database queries.
Unauthenticated remote attackers can exploit these vulnerabilities with low complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation allows extraction of sensitive database information or execution of arbitrary SQL commands, potentially compromising user data like personal details in a matrimony site's database.
Advisories and related resources, including an exploit proof-of-concept at https://www.exploit-db.com/exploits/46591, the vendor site at https://www.matri4web.com, and a Vulncheck advisory at https://www.vulncheck.com/advisories/matrimony-website-script-m-plus-multiple-sql-injection, provide further details on the issues.
A public exploit is available on Exploit-DB, highlighting the risk of real-world abuse against unpatched instances of this matrimony script.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20018
Vulnerability details
Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Attackers can inject malicious SQL payloads into parameters like txtGender, religion, Fage, and cboCountry across…
more
simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php to extract sensitive database information or execute arbitrary SQL commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerabilities in a public-facing web application directly enable exploitation of public-facing applications (T1190) and facilitate collection of data from databases via arbitrary SQL queries (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all information inputs, directly preventing SQL injection via untrusted POST parameters like txtGender and religion in vulnerable PHP files.
Mandates timely identification, reporting, and correction of flaws like the SQL injection vulnerabilities in the Matrimony Website Script M-Plus.
Enforces boundary protection through inspection of communications at web application interfaces to block SQL injection payloads from reaching vulnerable endpoints.