Description
Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Attackers can inject script tags through the cateid parameter in categorysearch.php or SQL code through the view parameter in list-details.php to execute arbitrary code or extract database information.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Theft
Action: Immediate Patch
AI Analysis

Impact

Ask Expert Script 3.0.5 contains cross‑site scripting and SQL injection flaws that can be triggered by unauthenticated users through the cateid parameter in categorysearch.php or the view parameter in list‑details.php. An attacker can inject malicious script tags or SQL code, allowing execution of arbitrary code in the victim’s browser or extraction of database information. The vulnerability therefore enables data theft and cross‑site scripting.

Affected Systems

Phpscriptsmall’s Ask Expert Script version 3.0.5 is vulnerable. The flaw exists in the web application shipped by the vendor and can affect any instance that has not been patched or updated.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity. The EPSS score is < 1%, indicating a very low but non-zero likelihood of exploitation, and it is not listed in the CISA KEV catalog. The attack requires only an unauthenticated HTTP request to a publicly reachable URL. Because the exploit merely involves passing crafted query string values, it is straightforward for an attacker with internet connectivity to attempt exploitation. No authentication or privileged access is required, making the risk significant.

Generated by OpenCVE AI on April 21, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy any vendor‑supplied patch or upgrade to a fixed version of Ask Expert Script.
  • If a patch is unavailable, restrict remote access to the vulnerable endpoints (categorysearch.php and list‑details.php) or implement IP‑based filtering.
  • Apply input validation or parameter sanitization to the cateid and view query parameters to prevent injection of malicious code.

Generated by OpenCVE AI on April 21, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
CPEs cpe:2.3:a:phpscriptsmall:ask_expert_script:3.0.5:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpscriptsmall
Phpscriptsmall ask Expert Script
Vendors & Products Phpscriptsmall
Phpscriptsmall ask Expert Script

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Attackers can inject script tags through the cateid parameter in categorysearch.php or SQL code through the view parameter in list-details.php to execute arbitrary code or extract database information.
Title Ask Expert Script 3.0.5 Cross Site Scripting SQL Injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phpscriptsmall Ask Expert Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:27:22.571Z

Reserved: 2026-04-05T13:27:41.368Z

Link: CVE-2019-25676

cve-icon Vulnrichment

Updated: 2026-04-06T15:22:50.375Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:45.620

Modified: 2026-04-20T17:53:43.537

Link: CVE-2019-25676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses