Description
Joomla! Component vBizz 1.0.7 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the payid parameter. Attackers can submit POST requests to the employee management interface with crafted payid array values containing SQL commands to extract sensitive database information including version and database names.
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! Component vBizz 1.0.7 is vulnerable to SQL injection, allowing authenticated attackers to inject malicious code into the payid parameter via POST requests to the employee management interface. This flaw enables execution of arbitrary SQL queries that can reveal sensitive information such as database names, versions, and other stored data. Because the injection can read data from the database, attackers could learn information that compromises confidentiality.

Affected Systems

The affected product is the vBizz component for Joomla, version 1.0.7, distributed by Wdmtech. Joomla sites running this component and allowing authenticated users to access the employee management interface are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, reflecting the potential impact of data compromise. No EPSS score is available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, through the web interface, and requires that the attacker be authenticated and have access to the employee management page.

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vBizz component to the latest version that contains the SQL injection fix.
  • If an upgrade is not immediately possible, restrict access to the employee management interface to a minimal set of trusted administrators or disable it for all other accounts.
  • Deploy a web application firewall or create security rules that detect and block suspicious SQL injection payloads targeting the payid parameter, providing temporary protection until a patch is applied.

Generated by OpenCVE AI on June 19, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wdmtech
Wdmtech vbizz
Vendors & Products Wdmtech
Wdmtech vbizz

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component vBizz 1.0.7 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the payid parameter. Attackers can submit POST requests to the employee management interface with crafted payid array values containing SQL commands to extract sensitive database information including version and database names.
Title Joomla! Component vBizz 1.0.7 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:13:22.606Z

Reserved: 2026-06-19T14:31:39.773Z

Link: CVE-2019-25759

cve-icon Vulnrichment

Updated: 2026-06-22T17:08:00.477Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:48Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')