Description
Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution.
Published: 2026-06-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Joomla! Component vBizz 1.0.7 supports an unrestricted file upload via the profile_pic parameter, which allows authenticated users to upload arbitrary PHP code. Once uploaded, the attacker can access the file through the server’s uploads directory, achieving remote code execution. This flaw falls under CWE-434, and it enables compromise of confidentiality, integrity, and availability on the affected Joomla site.

Affected Systems

The vulnerability exists in the Wdmtech vBizz component version 1.0.7 when deployed on Joomla! sites. Any installation that loads or enables this component and accepts uploads for the employee view endpoint is affected. No other product or version ranges are mentioned.

Risk and Exploitability

The CVSS score of 8.7 denotes a high severity flaw, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. The attack requires an authenticated Joomla user who can access the employee view endpoint; the attacker submits a crafted PHP file, which the component stores and later can be executed by a web request. Although no exploit probability data is available, the existence of public exploits indicates a realistic threat. The lack of a KEV listing suggests the vulnerability has not yet been widely weaponized, but the high CVSS and published proof‑of‑concept code warrant immediate attention.

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vBizz component to a fixed version if available
  • If an upgrade is not feasible, disable the component or remove its upload functionality
  • Enforce strict server‑side validation for the profile_pic upload field, allowing only safe file types and preventing execution of uploaded files

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution.
Title Joomla! Component vBizz 1.0.7 Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:35:17.973Z

Reserved: 2026-06-19T14:31:18.473Z

Link: CVE-2019-25758

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:00:04Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type