CVE-2019-25639
Received Received - Intake
Multiple SQL Injection Vulnerabilities in Matrimony Website Script M-Plus

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: VulnCheck

Description
Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Attackers can inject malicious SQL payloads into parameters like txtGender, religion, Fage, and cboCountry across simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php to extract sensitive database information or execute arbitrary SQL commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25639
EUVD
EUVD-2019-20018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
matri4web matrimony_website_script_m_plus to M-Plus (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25639 involves multiple SQL injection vulnerabilities in the Matrimony Website Script M-Plus. These vulnerabilities allow unauthenticated attackers to inject malicious SQL code through various POST parameters such as txtGender, religion, Fage, and cboCountry in several PHP scripts including simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php.

By exploiting these injection points, attackers can manipulate database queries to extract sensitive information or execute arbitrary SQL commands, potentially compromising the backend database.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information, data leakage, and manipulation of database queries. Attackers can extract confidential data or execute arbitrary SQL commands, which may lead to data tampering or full compromise of the backend database.

Since the attack requires no authentication and has low complexity, it poses a high risk to affected systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable PHP endpoints with specially crafted SQL injection payloads in the POST parameters. The vulnerable parameters include txtGender, religion, Fage, and cboCountry in scripts such as simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability include sending POST requests with tautology-based SQL injection payloads or time-based blind SQL injection payloads to these endpoints. For instance, using curl to test simplesearch_results.php with the txtGender parameter:'}, {'type': 'list_item', 'content': 'curl -X POST -d "txtGender=-1\' OR 3*2*1=6 AND 000715=000715 -- " https://targetsite.com/simplesearch_results.php'}, {'type': 'list_item', 'content': 'curl -X POST -d "religion=-1\' OR 3*2*1=6 AND 000723=000723 -- " https://targetsite.com/advsearch_results.php'}, {'type': 'list_item', 'content': 'curl -X POST -d "Fage=Fage=(select(0)from(select(sleep(0)))v)/*\'+(select(0)from(select(sleep(0)))v)+\'\\"+(select(0)from(select(sleep(0)))v)+\'\\"*/" https://targetsite.com/specialcase_results.php'}, {'type': 'list_item', 'content': 'curl -X POST -d "cboCountry=-1\' OR 3*2*1=6 AND 000567=000567 -- " https://targetsite.com/locational_results.php'}, {'type': 'list_item', 'content': 'curl -X POST -d "religion=-1\' OR 3*2*1=6 AND 000830=000830 -- " https://targetsite.com/registration2.php'}, {'type': 'paragraph', 'content': 'Successful injection may result in altered query results, error messages, or time delays (in case of time-based injections), indicating the presence of SQL injection vulnerabilities.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include:

  • Sanitize and validate all user inputs, especially POST parameters such as txtGender, religion, Fage, and cboCountry, to prevent malicious SQL code injection.
  • Use prepared statements with parameterized queries instead of directly embedding user inputs into SQL queries.
  • Apply web application firewall (WAF) rules to detect and block common SQL injection payloads targeting the vulnerable endpoints.
  • Restrict database user permissions to limit the impact of any successful injection.
  • If possible, update or patch the Matrimony Website Script M-Plus to a version where these vulnerabilities are fixed.

These steps help reduce the risk of exploitation while a permanent fix is developed or applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart