Impact
Joomla Payage 2.05 contains an unauthenticated SQL injection flaw that lets attackers inject arbitrary SQL through the aid parameter of the make_payment task. The injection can be exploited via GET requests to index.php, enabling boolean‑based blind or time‑based extraction of sensitive data such as user credentials, payment records, or other private database contents. This vulnerability is classified as CWE‑89 and allows a remote attacker to read information from the database without requiring authentication.
Affected Systems
The affected product is the Joomla Payage extension, specifically version 2.05. No other versions or products are listed as affected in the current CIA data.
Risk and Exploitability
With a CVSS score of 8.8 the flaw is considered High severity. EPSS is not available, so the probability of exploitation cannot be quantified, and the vulnerability is not present in the CISA KEV catalog. Attackers can reach the vulnerable endpoint directly, send crafted GET requests, and retrieve data through the SQL injection, which requires no prior authentication or elevated privileges.
OpenCVE Enrichment