CVE-2019-25676
Received Received - Intake

Cross-Site Scripting and SQL Injection in Ask Expert

Vulnerability report for CVE-2019-25676, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-05

Last updated on: 2026-04-20

Assigner: VulnCheck

Description

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Attackers can inject script tags through the cateid parameter in categorysearch.php or SQL code through the view parameter in list-details.php to execute arbitrary code or extract database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-05
Last Modified
2026-04-20
Generated
2026-07-06
AI Q&A
2026-04-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phpscriptsmall ask_expert_script 3.0.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Ask Expert Script 3.0.5 involves cross-site scripting (XSS) and SQL injection issues. Unauthenticated attackers can exploit these by manipulating URL parameters. Specifically, they can inject malicious script tags through the 'cateid' parameter in the categorysearch.php file, leading to cross-site scripting attacks. Additionally, they can inject SQL code through the 'view' parameter in list-details.php, which can allow execution of arbitrary code or extraction of database information.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of malicious scripts in users' browsers (via XSS), which can lead to session hijacking, defacement, or redirection to malicious sites. The SQL injection aspect can allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive database information, data leakage, or manipulation of the database.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart