Description
Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Attackers can send GET requests to index.php with malicious aid values in the make_payment task to extract sensitive database information using boolean-based blind or time-based blind techniques.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla Payage 2.05 contains an unauthenticated SQL injection flaw that lets attackers inject arbitrary SQL through the aid parameter of the make_payment task. The injection can be exploited via GET requests to index.php, enabling boolean‑based blind or time‑based extraction of sensitive data such as user credentials, payment records, or other private database contents. This vulnerability is classified as CWE‑89 and allows a remote attacker to read information from the database without requiring authentication.

Affected Systems

The affected product is the Joomla Payage extension, specifically version 2.05. No other versions or products are listed as affected in the current CIA data.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is considered High severity. EPSS is not available, so the probability of exploitation cannot be quantified, and the vulnerability is not present in the CISA KEV catalog. Attackers can reach the vulnerable endpoint directly, send crafted GET requests, and retrieve data through the SQL injection, which requires no prior authentication or elevated privileges.

Generated by OpenCVE AI on June 19, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade the Payage extension to a non‑susceptible version (e.g., 2.06 or later).
  • Configure the payment component to require user authentication or enforce ACL rules that block public access to the make_payment task.
  • Review web server logs for suspicious aid parameters and implement rate‑limiting or input filtering on the payment endpoint.

Generated by OpenCVE AI on June 19, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Extensions
Extensions joomla Payage
Vendors & Products Extensions
Extensions joomla Payage

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Attackers can send GET requests to index.php with malicious aid values in the make_payment task to extract sensitive database information using boolean-based blind or time-based blind techniques.
Title Joomla Payage 2.05 SQL Injection via aid Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Extensions Joomla Payage
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T14:21:40.816Z

Reserved: 2026-06-19T15:10:05.440Z

Link: CVE-2017-20279

cve-icon Vulnrichment

Updated: 2026-06-22T14:21:25.056Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:09Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')