Impact
A flaw in Joomla Event Registration Pro Calendar 4.1.3 allows attackers to inject arbitrary SQL code through the id parameter in a GET request. This is a CWE-89 vulnerability. This injection can read or modify database contents, enabling the exfiltration of sensitive data such as user credentials, registration records, and other confidential information. The vulnerability does not directly grant code execution, but it compromises the confidentiality and integrity of the database.
Affected Systems
Joomlashowroom’s Event Registration Pro Calendar version 4.1.3 is affected. No other versions are listed, so only installations of exactly this version are known to be vulnerable.
Risk and Exploitability
With a CVSS score of 8.8 the vulnerability is considered high severity. The EPSS score is not available, and the issue is not listed in CISA KEV. Attackers can exploit the flaw from anywhere with internet access by sending a crafted GET request to index.php, and because the attacker is unauthenticated the exploitation surface is broad. The lack of a KEV listing suggests limited field exploitation to date, but the high score indicates a serious potential impact if the flaw were to be leveraged.
OpenCVE Enrichment