CVE-2019-25726: All in One Video Downloader 1.2 SQL Injection via admin page-edit
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.
Security readout for executives and security teams
Plain-English summary
All in One Video Downloader 1.2 has an unauthenticated SQL injection issue. An attacker reaching the affected admin edit page could query the application database and expose sensitive data such as usernames and database metadata. The bundle does not name a vendor patch.
Executive priority
Prioritize within the next remediation cycle for any reachable deployment. Escalate to urgent if the application is public-facing or stores user, credential, or business-sensitive data.
Technical view
The issue is CWE-89 in the admin page-edit flow. The id parameter is described as injectable, enabling arbitrary SQL queries through UNION-based SQL injection. CVSS 4.0 is 8.8, with network access, low complexity, no privileges, and no user interaction required.
Likely exposure
Exposure is most likely on internet-facing or internally reachable installations of Nicheoffice All in One Video Downloader version 1.2, especially where the admin interface is accessible without network restrictions.
Exploitation context
A public ExploitDB reference exists, but the source bundle does not show CISA KEV listing or confirmed active exploitation. Treat this as practical and high-risk, not proven actively exploited.
Researcher notes
The bundle supports unauthenticated SQL injection and public exploit availability, but does not provide patch details, CPEs, or active exploitation evidence. Validation should focus on version, route exposure, and defensive log review.
Mitigation direction
Inventory all All in One Video Downloader deployments and identify version 1.2.
Restrict access to the admin interface until remediation is confirmed.
Check vendor or product channels for a fixed release or official guidance.
Retire or replace unsupported deployments if no maintained fix exists.
Review database privileges and rotate credentials if compromise is suspected.
Validation and detection
Confirm whether the installed product is All in One Video Downloader 1.2.
Verify whether the admin page-edit route is reachable from untrusted networks.
Review web logs for suspicious id parameter activity on admin edit pages.
Use safe code review or approved scanning to confirm parameterized database access.
Check database audit logs for unexpected metadata or account queries.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.