Description
Joomla! Component Quiz Deluxe 3.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the ajaxaction.flag_question task. Attackers can inject malicious SQL code via the stu_quiz_id or flag_quest parameters to manipulate database queries and extract sensitive information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! Component Quiz Deluxe is affected by an unauthenticated SQL injection flaw in version 3.7.4. The vulnerability resides in the ajaxaction.flag_question task and can be triggered by sending crafted values to the stu_quiz_id or flag_quest parameters. Attackers may inject arbitrary SQL code, allowing them to read, modify, or delete data within the Joomla! database.

Affected Systems

Affected systems include sites running Joomplace's Quiz Deluxe component version 3.7.4. The issue is specific to this component and version; newer or other versions are not known to be vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high severity issue, and the lack of an EPSS score means the exploitation probability is unknown but the vulnerability can be readily exploited by unauthenticated users over the network. It is not listed in the CISA KEV catalog. Attackers likely exploit this by making simple HTTP requests to the exposed endpoint.

Generated by OpenCVE AI on June 19, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quiz Deluxe to a version that contains the fix, such as the latest release from Joomplace.
  • If an update is not feasible, restrict access to the ajaxaction.flag_question endpoint or disable the quiz component entirely.
  • Deploy web application firewall rules that detect and block typical SQL injection patterns on the stu_quiz_id and flag_quest parameters.

Generated by OpenCVE AI on June 19, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomplace
Joomplace quiz Deluxe
Vendors & Products Joomplace
Joomplace quiz Deluxe

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Quiz Deluxe 3.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the ajaxaction.flag_question task. Attackers can inject malicious SQL code via the stu_quiz_id or flag_quest parameters to manipulate database queries and extract sensitive information.
Title Joomla! Component Quiz Deluxe 3.7.4 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomplace Quiz Deluxe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T16:43:45.156Z

Reserved: 2026-06-19T14:36:58.661Z

Link: CVE-2017-20257

cve-icon Vulnrichment

Updated: 2026-06-22T16:43:33.933Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:46Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')