K2 versions 2.24 and earlier contain a mass‑assignment flaw in the plg_user_k2 plugin that is invoked during a standard Joomla account profile save operation. An authenticated user can include the hidden field K2UserForm=1 in the POST payload and force the plugin to write arbitrary values to the notes, image, and plugins columns of their own record in the #__k2_users table. Because these columns are not exposed in the public K2 profile‑edit form, the flaw can be abused to persist unexpected data, including potentially crafted plugin configurations, without the user's awareness. This weakness is classified as CWE-915: Mass‑assignment, which represents a failure to properly sanitize or limit input data. The impact is limited to the scope of accounts that can authenticate to the site; however, the ability to inject data into plugin fields could lead to broader compromise if those fields are later rendered or executed by the system.

Getk2.com’s K2 extension for Joomla, specifically versions up to and including 2.24, is the only component affected. The description does not mention any other Joomla extensions or core components; based on the description, it is inferred that no other Joomla extensions or core components are directly affected by the vulnerability as presented.

The vulnerability requires only a legitimate Joomla user account and does not depend on remote code execution or privilege escalation. No EPSS score is provided, and the issue is not listed in CISA KEV, indicating limited evidence of exploitation in the wild. Because the flaw is confined to authenticated users, the risk to the site is that attackers can inject malicious content into their own profile information. The CVSS score of 6.5 indicates a moderate severity, confirming that while the flaw is not critical, it still poses a significant data integrity and potential privacy concern for end users.