Joomla Responsive Portfolio 1.6.1 SQL Injection via filter parameters
Description
Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla Responsive Portfolio 1.6.1 contains SQL injection in filter parameters, allowing authenticated attackers to extract database contents.
Vulnerability
Joomla Responsive Portfolio version 1.6.1 is vulnerable to SQL injection in the filter_type_id, filter_pid_id, and filter_search POST parameters within the administrator backend component com_pofos [1][3]. The component fails to sanitize user input before using it in SQL queries, enabling injection of arbitrary SQL commands. The vulnerability is present in the filtering feature accessible to authenticated users.
Exploitation
An attacker must have valid Joomla administrator credentials to access the backend. The exploit sends a POST request to /administrator/index.php?option=com_pofos&view=pofoits with malicious payloads in the vulnerable parameters [1]. The exploit-db reference demonstrates boolean-based blind and error-based SQL injection techniques using MySQL comments and FLOOR error generation [1]. No user interaction beyond authentication is required.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary SQL commands, potentially extracting sensitive data such as user credentials, server information, and other database contents [1][3]. The attacker can fully compromise the database, leading to information disclosure and possible privilege escalation within the Joomla application.
Mitigation
As of the available references, no official patch has been released for this vulnerability. The vendor site (eXtro.media) does not mention a fixed version [2]. Users should consider disabling the component or restricting access to the administrator backend until a patch is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the filter parameters allows direct SQL injection into database queries."
Attack vector
An authenticated attacker sends a POST request to `/administrator/index.php?option=com_pofos&view=pofoits` with malicious payloads in the `filter_type_id`, `filter_pid_id`, or `filter_search` parameters [ref_id=1]. The exploit supports boolean-based blind, error-based, and time-based blind SQL injection techniques against a MySQL backend. Successful injection allows the attacker to extract arbitrary database contents, including credentials and server information [ref_id=1].
Affected code
The vulnerability exists in the Joomla! component "Responsive Portfolio" version 1.6.1. The POST parameters `filter_type_id`, `filter_pid_id`, and `filter_search` are not sanitized before being used in SQL queries within the component's filtering feature [ref_id=1].
What the fix does
No patch or vendor advisory is included in the bundle. The exploit-db entry [ref_id=1] does not provide remediation guidance. To fix this vulnerability, the component would need to implement parameterized queries or proper input validation/sanitization on the `filter_type_id`, `filter_pid_id`, and `filter_search` parameters before they are interpolated into SQL statements.
Preconditions
- authAttacker must be an authenticated Joomla user with access to the administrator backend filtering feature
- configThe target must be running Joomla! with Responsive Portfolio component version 1.6.1
- networkAttacker must be able to send POST requests to the administrator interface
Reproduction
1. Authenticate to the Joomla administrator backend. 2. Send a POST request to `/administrator/index.php?option=com_pofos&view=pofoits` with `Content-Type: application/x-www-form-urlencoded`. 3. Inject a boolean-based blind payload in `filter_type_id`, e.g. `filter_type_id=-7022 OR 5787=5787#` [ref_id=1]. 4. Alternatively, inject error-based payloads such as `filter_type_id=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT (ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)` [ref_id=1]. 5. The same injection techniques apply to `filter_pid_id` and `filter_search` parameters [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/45491mitreexploit
- www.vulncheck.com/advisories/joomla-responsive-portfolio-sql-injection-via-filter-parametersmitrethird-party-advisory
- extensions.joomla.org/extension/rpc-responsive-portfolio/mitreproduct
- extro.mediamitreproduct
News mentions
0No linked articles in our index yet.