Description
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Solidres 2.13.3 contains a reflected cross‑site scripting flaw that lets attackers embed malicious script code into several GET parameters such as show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. When a victim opens a URL carrying a JavaScript payload in any of these parameters, the code runs in the visitor’s browser. This can enable an attacker to steal session tokens, capture login credentials, or alter the presentation of the site.

Affected Systems

The vulnerability affects the Solidres extension for Joomla, version 2.13.3. No other product variants or earlier versions are listed as vulnerable in the supplied data.

Risk and Exploitability

The CVSS value of 5.1 points to a moderate severity. Exploit probability data is absent, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw without authentication by delivering specially crafted URLs to targeted users, typically through phishing or social engineering. Successful exploitation can lead to session hijacking, credential theft, and content manipulation, so the risk to high‑traffic sites is significant despite the moderate score.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Solidres patch from the vendorIf a patch is not immediately available, configure the web server or application firewall to strictly validate or block the vulnerable GET parameters.
  • Implement a Content Security Policy that restricts inline scripts and disallows execution of arbitrary JavaScript.
  • Monitor site traffic for anomalous URLs containing suspicious query strings.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.
Title Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters
First Time appeared Solidres
Solidres solidres
Weaknesses CWE-79
CPEs cpe:2.3:a:solidres:solidres:2.13.3:*:*:*:*:*:*:*
Vendors & Products Solidres
Solidres solidres
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Solidres Solidres
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:41.862Z

Reserved: 2026-04-09T20:42:16.616Z

Link: CVE-2023-54363

cve-icon Vulnrichment

Updated: 2026-04-10T15:53:31.709Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:05.907

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:11Z

Weaknesses