Impact
Joomla JoomRecipe version 1.0.4 contains a blind SQL injection flaw in the search_author parameter on its search results page. Through POST requests to the search endpoint, an attacker can inject SQL code that exploits boolean-based blind techniques to retrieve database contents such as user credentials and configuration data. The vulnerability originates from untrusted input being incorporated directly into a SQL statement without proper sanitization, identified as CWE‑89.
Affected Systems
The affected vendor is Joomboost and the vulnerable product is the Joomla JoomRecipe component. Only version 1.0.4 is known to contain the flaw; newer releases presumably remove the issue. Any Joomla site that installs JoomRecipe 1.0.4 is therefore at risk.
Risk and Exploitability
With a CVSS score of 8.8, the vulnerability is classified as High severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote via web requests to the search endpoint, as attackers can craft POST requests to the search_author parameter. No authentication or privileged context is explicitly required in the description, suggesting that an unauthenticated attacker could potentially exploit the flaw. The high CVSS rating indicates that the threat remains significant for affected systems.
OpenCVE Enrichment