Description
Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details.
Published: 2026-05-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla Responsive Portfolio 1.6.1 extension has an SQL injection flaw that permits authenticated users to inject arbitrary SQL via filter parameters such as filter_type_id, filter_pid_id, and filter_search in POST requests. The failure to properly sanitize these inputs allows an attacker to execute any SQL statement against the database, potentially exposing credentials, server configuration details, and other sensitive data. This flaw falls under CWE-89, indicating an injection weakness in data handling.

Affected Systems

The vulnerability impacts the Extro Responsive Portfolio extension, specifically version 1.6.1. It is present in Joomla sites that have installed this version of the plugin and are using it with user accounts that have permissions to submit filter queries.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. While EPSS data is unavailable, the fact that only authenticated users can exploit the flaw limits the attack surface but still poses a significant risk for internal attackers. The vulnerability is not listed in CISA's KEV catalog. Attackers would need valid credentials and would send crafted POST requests to the filter handling endpoint to deliver malicious SQL.

Generated by OpenCVE AI on May 25, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Extro Responsive Portfolio to the latest available version, which resolves the injection flaw.
  • If an upgrade is not immediately possible, restrict or revote the permissions of users who can access the filter functionality, ensuring only trusted administrators can use the affected endpoints.
  • Deploy a web application firewall or filter plugin that blocks malformed SQL injection payloads on incoming requests to the extension’s filter parameters.

Generated by OpenCVE AI on May 25, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Extro
Extro responsive Portfolio
Vendors & Products Extro
Extro responsive Portfolio

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details.
Title Joomla Responsive Portfolio 1.6.1 SQL Injection via filter parameters
First Time appeared Almera Responsive Portfolio Project
Almera Responsive Portfolio Project almera Responsive Portfolio
Weaknesses CWE-89
CPEs cpe:2.3:a:almera_responsive_portfolio_project:almera_responsive_portfolio:1.6.1:*:*:*:*:*:*:*
Vendors & Products Almera Responsive Portfolio Project
Almera Responsive Portfolio Project almera Responsive Portfolio
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Almera Responsive Portfolio Project Almera Responsive Portfolio
Extro Responsive Portfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T12:47:42.374Z

Reserved: 2026-05-25T14:07:48.214Z

Link: CVE-2018-25381

cve-icon Vulnrichment

Updated: 2026-05-26T12:47:39.816Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T15:16:21.330

Modified: 2026-05-26T19:47:48.987

Link: CVE-2018-25381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:20Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')