Description
Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Joomla vWishlist 1.0.1, where an attacker who has gained authentication can supply malicious SQL fragments in the vproductid and userid POST parameters. This allows the attacker to execute arbitrary SELECT or other statements against the database, retrieving sensitive information such as database version, names, and potentially other tables. The weakness is a classic SQL injection flaw (CWE‑89).

Affected Systems

The affected product is Wdmtech’s vWishlist component for Joomla, version 1.0.1. No other Joomla extensions were listed. Users running this component without updating are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑to‑moderate risk. Exploitation requires the attacker to be authenticated to the Joomla installation, so impersonation or credential theft is a prerequisite. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. In practice, once authenticated, an attacker can read confidential database contents, which could lead to data exposure or further compromise.

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch or upgrade vWishlist to the latest version that removes the vulnerability.
  • If an upgrade is not possible, restrict the component to only trusted user groups and enforce strong authentication mechanisms.
  • Reduce database privileges for the Joomla database user so that it cannot execute arbitrary statements or access sensitive tables.

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names.
Title Joomla vWishlist 1.0.1 SQL Injection via vproductid Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:31:56.281Z

Reserved: 2026-06-19T14:30:56.099Z

Link: CVE-2019-25757

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:00:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')