Description
Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Joomla Event Registration Pro Calendar 4.1.3 allows attackers to inject arbitrary SQL code through the id parameter in a GET request. This is a CWE-89 vulnerability. This injection can read or modify database contents, enabling the exfiltration of sensitive data such as user credentials, registration records, and other confidential information. The vulnerability does not directly grant code execution, but it compromises the confidentiality and integrity of the database.

Affected Systems

Joomlashowroom’s Event Registration Pro Calendar version 4.1.3 is affected. No other versions are listed, so only installations of exactly this version are known to be vulnerable.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is considered high severity. The EPSS score is not available, and the issue is not listed in CISA KEV. Attackers can exploit the flaw from anywhere with internet access by sending a crafted GET request to index.php, and because the attacker is unauthenticated the exploitation surface is broad. The lack of a KEV listing suggests limited field exploitation to date, but the high score indicates a serious potential impact if the flaw were to be leveraged.

Generated by OpenCVE AI on June 19, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Event Registration Pro Calendar newer than 4.1.3.
  • If an upgrade is not possible, disable or remove the vulnerable component from the Joomla installation.
  • Apply an application firewall or input validation rules that block malformed id parameters and other suspicious query strings.

Generated by OpenCVE AI on June 19, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomlashowroom
Joomlashowroom event Registration Pro Calendar
Vendors & Products Joomlashowroom
Joomlashowroom event Registration Pro Calendar

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information.
Title Joomla Event Registration Pro Calendar 4.1.3 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomlashowroom Event Registration Pro Calendar
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T14:18:37.207Z

Reserved: 2026-06-19T15:07:50.439Z

Link: CVE-2017-20273

cve-icon Vulnrichment

Updated: 2026-06-22T14:18:29.097Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:18Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')