Joomla Component eXtroForms 2.1.5 SQL Injection via filter parameters
Description
Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla eXtroForms 2.1.5 has multiple SQL injection vulnerabilities in filter parameters, allowing authenticated attackers to extract database and server data.
Vulnerability
Joomla Component eXtroForms version 2.1.5 contains SQL injection vulnerabilities in the filter_type_id, filter_pid_id, and filter_search parameters. These parameters are accessible via POST requests to the extroformfield view in the backend (/administrator/index.php?option=com_extroform&view=extroformfield). The vulnerability requires an authenticated user with access to the filtering feature; no special privileges beyond a standard backend account are needed [1][3].
Exploitation
An authenticated attacker can craft a POST request with malicious SQL payloads in any of the three vulnerable parameters (filter_type_id, filter_pid_id, filter_search). The exploit demonstrated includes boolean-based blind and error-based techniques. For example, using a payload such as filter_type_id=-7022 OR 5787=5787# triggers a boolean-based blind SQL injection. The attacker must have a valid session cookie and be able to send POST requests to the vulnerable endpoint [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands against the Joomla database. With database access, the attacker can extract sensitive information such as user credentials, session data, and other server information. The impact includes data breach and potential privilege escalation within the Joomla application, depending on the database content [1][3].
Mitigation
As of the available references, no official patch or fixed version has been released. The vendor homepage (eXtro.media) does not mention an update addressing this vulnerability [2]. Users should restrict access to the administrator backend, apply principle of least privilege for backend users, and consider using a web application firewall (WAF) to filter SQL injection attempts. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `filter_type_id`, `filter_pid_id`, and `filter_search` parameters allows SQL injection."
Attack vector
An authenticated attacker sends a POST request to `/administrator/index.php?option=com_extroform&view=extroformfield` with malicious SQL payloads in the `filter_type_id`, `filter_pid_id`, or `filter_search` parameters [ref_id=1]. The exploit supports boolean-based blind, error-based, and time-based blind SQL injection techniques against a MySQL backend [ref_id=1]. By crafting payloads such as `-7022 OR 5787=5787#` or `1 AND SLEEP(5)`, the attacker can extract database contents and server information [ref_id=1].
Affected code
The vulnerability resides in the Joomla eXtroForms component (version 2.1.5), specifically in the `extroformfield` view under `com_extroform`. The parameters `filter_type_id`, `filter_pid_id`, and `filter_search` are processed without proper sanitization before being used in SQL queries [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix; however, the remediation would require the application to properly sanitize or parameterize the `filter_type_id`, `filter_pid_id`, and `filter_search` parameters before including them in SQL queries [ref_id=1]. Without a published fix, users should upgrade to a patched version of the eXtroForms component if one becomes available.
Preconditions
- authAttacker must be an authenticated user of the Joomla administrator backend
- configTarget must run Joomla eXtroForms component version 2.1.5
- networkAttacker must be able to send HTTP POST requests to the administrator interface
Reproduction
Send a POST request to `/administrator/index.php?option=com_extroform&view=extroformfield` with a body such as `filter_type_id=-7022 OR 5787=5787#&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1` to trigger boolean-based blind SQL injection. For time-based blind, use `filter_type_id=1 AND SLEEP(5)` with the same endpoint. The `filter_pid_id` and `filter_search` parameters accept similar payloads as documented in the exploit [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/45472mitreexploit
- www.vulncheck.com/advisories/joomla-component-extroforms-sql-injection-via-filter-parametersmitrethird-party-advisory
- extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/extroforms/mitreproduct
- extro.mediamitreproduct
News mentions
0No linked articles in our index yet.