Description
Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.
Published: 2026-05-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla Component eXtroForms 2.1.5 is vulnerable to SQL injection through the filter_type_id, filter_pid_id, and filter_search parameters used by the extroformfield view. When an attacker submits a malicious payload in a POST request, arbitrary SQL statements can be executed against the database. This allows the attacker to read or modify any data stored by the Joomla site, including sensitive configuration, user credentials, or application data.

Affected Systems

The vulnerability affects users who have installed eXtroForms version 2.1.5 on any Joomla-based website. The component is distributed by Extro as eXtroForms, and the defect exists specifically in the 2.1.5 release.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, and the lack of an EPSS score means current exploitation probability is unknown but potential exists. The component requires the attacker to be authenticated, conveying that the threat is limited to sites where attackers can obtain a valid login. The vulnerability is not listed in the CISA KEV catalog, but the ability to execute arbitrary SQL commands makes it a serious threat to confidentiality and integrity of site data. A likely attack path involves an authenticated user sending a crafted POST request to the extroformfield view to extract sensitive database information.

Generated by OpenCVE AI on May 25, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch for eXtroForms 2.1.5 or upgrade to the latest eXtroForms version.
  • Remove or restrict the extroformfield view from unauthenticated or low-privilege users to limit the attack surface.
  • Configure input validation or use prepared statements in the component to prevent SQL injection.

Generated by OpenCVE AI on May 25, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.
Title Joomla Component eXtroForms 2.1.5 SQL Injection via filter parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:22.842Z

Reserved: 2026-05-25T14:05:33.447Z

Link: CVE-2018-25380

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:30:06Z

Weaknesses