Description
Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details.
Published: 2026-05-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla Responsive Portfolio 1.6.1 extension has an SQL injection flaw that permits authenticated users to inject arbitrary SQL via filter parameters such as filter_type_id, filter_pid_id, and filter_search in POST requests. The failure to properly sanitize these inputs allows an attacker to execute any SQL statement against the database, potentially exposing credentials, server configuration details, and other sensitive data. This flaw falls under CWE-89, indicating an injection weakness in data handling.

Affected Systems

The vulnerability impacts the Extro Responsive Portfolio extension, specifically version 1.6.1. It is present in Joomla sites that have installed this version of the plugin and are using it with user accounts that have permissions to submit filter queries.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. While EPSS data is unavailable, the fact that only authenticated users can exploit the flaw limits the attack surface but still poses a significant risk for internal attackers. The vulnerability is not listed in CISA's KEV catalog. Attackers would need valid credentials and would send crafted POST requests to the filter handling endpoint to deliver malicious SQL.

Generated by OpenCVE AI on May 25, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Extro Responsive Portfolio to the latest available version, which resolves the injection flaw.
  • If an upgrade is not immediately possible, restrict or revote the permissions of users who can access the filter functionality, ensuring only trusted administrators can use the affected endpoints.
  • Deploy a web application firewall or filter plugin that blocks malformed SQL injection payloads on incoming requests to the extension’s filter parameters.

Generated by OpenCVE AI on May 25, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details.
Title Joomla Responsive Portfolio 1.6.1 SQL Injection via filter parameters
First Time appeared Almera Responsive Portfolio Project
Almera Responsive Portfolio Project almera Responsive Portfolio
Weaknesses CWE-89
CPEs cpe:2.3:a:almera_responsive_portfolio_project:almera_responsive_portfolio:1.6.1:*:*:*:*:*:*:*
Vendors & Products Almera Responsive Portfolio Project
Almera Responsive Portfolio Project almera Responsive Portfolio
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Almera Responsive Portfolio Project Almera Responsive Portfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:23.614Z

Reserved: 2026-05-25T14:07:48.214Z

Link: CVE-2018-25381

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:30:06Z

Weaknesses