Description
Joomla! Component Price Alert 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Price Alert component for Joomla! 3.0.2 contains an SQL injection flaw that allows an unauthenticated attacker to inject arbitrary SQL statements through the product_id parameter used in the subscribeajax view. This vulnerability can be exploited by sending crafted HTTP requests that return sensitive database contents, including user credentials and configuration details, potentially leading to a full compromise of the Joomla site’s data store.

Affected Systems

Systems using the Joomla! Component Price Alert version 3.0.2 provided by Weborange are affected. The component may be present on any Joomla installation that has integrated this extension, and older versions of the component are believed to be susceptible as well.

Risk and Exploitability

The flaw scores 8.8 on CVSS, indicating a high severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The attack vector is likely remote and unauthenticated, requiring the attacker to send an HTTP request to the subscribeajax endpoint with a malicious product_id payload. An attacker does not need to authenticate or possess elevated privileges to exploit this flaw, making it readily accessible from the public internet.

Generated by OpenCVE AI on June 19, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Price Alert component to the latest released version that eliminates the SQL injection flaw.
  • If an update is not feasible, uninstall or disable the component to remove the vulnerable code path.
  • Configure the web server or a web application firewall to block or filter requests containing SQL keywords on the product_id parameter, and restrict access to the subscribeajax endpoint to authorized users only.

Generated by OpenCVE AI on June 19, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Price Alert 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data.
Title Joomla! Component Price Alert 3.0.2 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T15:44:16.707Z

Reserved: 2026-06-19T14:57:14.264Z

Link: CVE-2017-20260

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')