Impact
The Joomla! Component User Bench 1.0 contains a classic SQL injection flaw that enables an unauthenticated attacker to send malicious code through the userid parameter in a GET request. This allows the execution of arbitrary SQL statements against the Joomla database, giving the attacker the ability to read, modify, or delete sensitive data including user credentials, configuration settings, and other confidential information. The weakness falls under CWE-89 and is a direct exploitation of an input validation failure that compromises confidentiality and potentially integrity.
Affected Systems
The vulnerability is present in the User Bench component developed by Gegabyte. All installations using User Bench 1.0 are affected; no higher or lower versions are listed as impacted.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity risk. Because EPSS is not available the exploitation probability is unclear, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code through standard HTTP GET traffic to index.php with a crafted userid value, meaning the attack can be performed remotely without authentication. The public availability of exploitation scripts increases the likelihood of real-world exploitation.
OpenCVE Enrichment