CVE-2019-25639

Vulnerability

Overview

Matrimony Website Script M-Plus contains multiple unauthenticated SQL injection vulnerabilities [1]. The application fails to sanitize user-supplied input passed through POST parameters such as txtGender, religion, Fage, and cboCountry. An attacker can inject malicious SQL payloads into these parameters across several PHP scripts, including simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php [2].

Exploitation

Details

Exploitation requires no authentication; an attacker can send crafted POST requests to any of the vulnerable endpoints. Proof-of-concept payloads demonstrate that time-based boolean blind SQL injection is achievable, for example by appending OR 3*2*1=6 AND 000715=000715 -- to the txtGender parameter [2]. The attacker can also use sleep-based techniques to extract data or execute arbitrary statements.

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive database contents, including user credentials and personal profile information. In some scenarios, the attacker may be able to execute arbitrary SQL commands, potentially leading to full compromise of the underlying database and server.

Mitigation

Status

As of the publication date, the vendor's website indicates the product is actively marketed [1]. No official patch or advisory has been published by the vendor for this version (M-Plus). Users should consider applying web application firewall rules to block malicious SQL injection patterns or upgrade to a patched version if one becomes available. The vulnerability has not been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of March 2026.