Description
Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files.
Published: 2026-06-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla! Component Easy Shop version 1.2.3 contains a local file inclusion flaw that allows unauthenticated attackers to read arbitrary files on the server by sending index.php. The attacker supplies a base64‑encoded file path in the file parameter while setting option=com_easyshop and task=ajax.loadImage. This enables reading of sensitive files such as the Joomla configuration file and system files, exposing credentials and other confidential data. The vulnerability is a classic example of CWE‑98 and can lead to full disclosure of confidential data.

Affected Systems

The affected product is Easy Shop by Joomtech, version 1.2.3. No other versions are specifically listed. The component is deployed on Joomla! websites that have installed this exact version of Easy Shop.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, so the exact likelihood of exploitation is unknown, but the flaw can be triggered by unauthenticated web requests, making it a highly likely target. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it from any machine that can reach the website, sending a standard HTTP GET request; hence the attack vector is network‑based and requires no special privileges.

Generated by OpenCVE AI on June 19, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Shop to a version that contains the fix for the local file inclusion vulnerability.
  • If an upgrade is not immediately possible, configure the web server or Joomla to block direct access to sensitive files such as configuration.php and restrict the file parameter to known safe directories.
  • Apply proper access controls so that only.loadImage task, or disable that task entirely if it is not needed.

Generated by OpenCVE AI on June 19, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomtech
Joomtech easy Shop
Vendors & Products Joomtech
Joomtech easy Shop

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files.
Title Joomla! Component Easy Shop 1.2.3 Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomtech Easy Shop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T19:11:10.402Z

Reserved: 2026-06-19T14:32:03.171Z

Link: CVE-2019-25760

cve-icon Vulnrichment

Updated: 2026-06-22T19:11:02.551Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:46Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')