Description
Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION statements in the cmId parameter to extract database information including usernames, passwords, and database versions.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla Component vReview 1.9.11 contains an unchecked SQL injection that can be triggered by unauthenticated attackers sending a POST request to the editReview endpoint. By injecting specially crafted code into the cmId parameter, an attacker may execute arbitrary SQL statements, including UNION queries that reveal sensitive data such as usernames, passwords, and database version information. The flaw is a classic CWE‑89 injection, leading to potential data theft and database compromise.

Affected Systems

The affected product is the Wdmtech vReview component for Joomla, specifically version 1.9.11. Any site that has this component installed and exposed to the web is vulnerable if the editReview task is reachable without authentication.

Risk and Exploitability

The CVSS base score of 8.8 labels this vulnerability as high severity. Although no EPSS value is listed, the lack of required authentication and the straightforward nature of the SQL injection suggest a high likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the potential impact on confidentiality is significant. Attackers can exploit it by crafting a malicious POST request to the editReview endpoint, bypassing ordinary access controls.

Generated by OpenCVE AI on June 19, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor’s latest patch or upgrade vReview to a version that removes the SQL injection flaw.
  • If an update is not immediately available, disable or remove the vReview component from the Joomla installation to eliminate the attack surface.
  • Restrict web access to the editReview endpoint by using .htaccess rules or Joomla’s ACL to ensure only authorized administrators can reach it.

Generated by OpenCVE AI on June 19, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION statements in the cmId parameter to extract database information including usernames, passwords, and database versions.
Title Joomla vReview 1.9.11 SQL Injection via editReview
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:25:11.921Z

Reserved: 2026-06-19T14:30:03.309Z

Link: CVE-2019-25755

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')