Description
Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the categorySearch, adType, and citySearch parameters to the displayads component to extract sensitive database information including usernames, databases, and version details.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The component contains a SQL injection in the displayads function, enabling an unauthenticated attacker to inject arbitrary SQL through the categorySearch, adType, and citySearch POST parameters. Successful exploitation would allow the attacker to retrieve sensitive database contents such as usernames, database names, and version information, thereby compromising the confidentiality of the Joomla site's data.

Affected Systems

Joomla Component J-ClassifiedsManager from Cmsjunkie, version 3.0.5, deployed on Joomla sites. The vulnerability exists in the public displayads interface exposed to all users.

Risk and Exploitability

The CVSS score of 8.8 reflects a significant danger; the vulnerability is exploitable remotely via normal HTTP POST requests, requiring no authentication. The EPSS score is not publicly available, and KEV does not list it, so there is no current evidence of widespread exploitation, but the high CVSS suggests a serious risk if the vulnerability remains unpatched.

Generated by OpenCVE AI on June 19, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade J-ClassifiedsManager to a version that fixes the SQL injection (check vendor for patch).
  • If an update is not available, remove or disable the component to stop public access to the vulnerable endpoint.
  • Apply web application firewall rules or input validation to block malicious SQL patterns and enforce parameterized queries.

Generated by OpenCVE AI on June 19, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cmsjunkie
Cmsjunkie j-classifiedsmanager
Vendors & Products Cmsjunkie
Cmsjunkie j-classifiedsmanager

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the categorySearch, adType, and citySearch parameters to the displayads component to extract sensitive database information including usernames, databases, and version details.
Title Joomla J-ClassifiedsManager 3.0.5 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Cmsjunkie J-classifiedsmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:17:24.485Z

Reserved: 2026-06-19T14:27:50.099Z

Link: CVE-2019-25751

cve-icon Vulnrichment

Updated: 2026-06-23T02:17:20.251Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')