Description
Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

Joomla JLex Review 6.0.1 contains a reflected cross‑site scripting flaw that lets an attacker supply a malicious payload through the review_id URL parameter. When a victim visits a crafted link, the embedded script runs in the victim's browser, allowing session hijacking or credential theft. The vulnerability does not require authentication or additional privileges, so any user who follows a malicious link can be exposed.

Affected Systems

The flaw is present only in the JLexart Joomla JLex Review extension, version 6.0.1. No other product or version is listed as affected. Site owners using this specific extension version should verify its presence on their deployment.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not catalogued in the CISA KEV list. Based on the description, it is inferred that the attacker can exploit this weakness by sending phishing emails or embedding the link in other content that drives users to the vulnerable URL. The vulnerability has been demonstrated by publicly available exploits, showing that it can be leveraged without additional prerequisites.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JLex Review extension to a version that includes the patch; the vendor has released an updated release that removes the flaw.
  • If upgrading is not immediately possible, consider disabling or removing the extension until a patched version is available to eliminate the attack surface.
  • Implement web application firewall rules that detect or block XSS payloads in the review_id parameter to mitigate exploitation attempts.
  • Monitor user traffic for suspicious activity, and educate site visitors about the dangers of clicking unknown links to reduce the likelihood of successful social‑engineering attacks.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Jlexart
Jlexart joomla Jlex Review
Vendors & Products Jlexart
Jlexart joomla Jlex Review

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft.
Title Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Jlexart Joomla Jlex Review
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:39.719Z

Reserved: 2026-04-09T20:41:49.829Z

Link: CVE-2023-54360

cve-icon Vulnrichment

Updated: 2026-04-13T20:23:03.755Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:05.340

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:14Z

Weaknesses