Description
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Joomla HikaShop 4.7.4 contains a reflected cross‑site scripting flaw that allows attackers to inject malicious scripts by manipulating the GET parameters of the product filter endpoint. By crafting URLs that include XSS payloads in the from_option, from_ctrl, from_task, or from_itemid fields, an unauthenticated attacker can cause the victim’s browser to execute user‑supplied code. When a user opens the link, the script can steal session tokens or login credentials, compromising the victim’s account.

Affected Systems

The vulnerability affects any installation of Joomla HikaShop version 4.7.4. Any site running this exact version and using the product filter component is susceptible, regardless of the overall Joomla configuration.

Risk and Exploitability

With a CVSS score of 5.1 the flaw carries a moderate impact, and the lack of an EPSS score makes the exact exploit probability unclear. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely via a crafted HTTP GET request without needing authentication. The exploit can materialize with any user who clicks the malicious link, potentially leading to credential theft. Due to the absence of a predefined workaround, the risk persists until the vendor releases a patch.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version of HikaShop that resolves the reflected XSS flaw.
  • If a patch is not yet available, ensure that all values from the from_option, from_ctrl, from_task, and from_itemid parameters are properly sanitized and encoded before rendering them back to the browser.
  • Deploy a Content Security Policy that restricts the execution of inline scripts and mitigates the impact of reflected XSS attempts.
  • Monitor web server logs for anomalous URLs containing unexpected query parameters to detect potential exploitation attempts.

Generated by OpenCVE AI on April 9, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.
Title Joomla HikaShop 4.7.4 Reflected XSS via Product Filter
First Time appeared Hikashop
Hikashop hikashop
Weaknesses CWE-79
CPEs cpe:2.3:a:hikashop:hikashop:4.7.4:*:*:*:*:*:*:*
Vendors & Products Hikashop
Hikashop hikashop
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Hikashop Hikashop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:42.563Z

Reserved: 2026-04-09T20:42:23.652Z

Link: CVE-2023-54364

cve-icon Vulnrichment

Updated: 2026-04-10T18:10:46.242Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:06.117

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:10Z

Weaknesses