Joomla JHotelReservation 6.0.7 SQL Injection via search-hotels
Description
Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL payloads in the rooms parameter to extract sensitive database information including version details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =6.0.7
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the `rooms` POST parameter allows SQL injection."
Attack vector
An unauthenticated attacker sends a POST request to `/search-hotels?view=hotels` with a crafted `rooms` parameter containing SQL injection payloads. The payload in the exploit uses a UNION SELECT with `version()` to extract the database version, along with 43 additional columns. No authentication or special privileges are required, making this a low-complexity, network-based attack [ref_id=1].
Affected code
The vulnerability exists in the JHotelReservation component for Joomla (version 6.0.7), specifically in the `search-hotels` view. The `rooms` POST parameter is passed unsanitized into a SQL query, as demonstrated by the exploit payload targeting the `hotels.searchHotels` task.
What the fix does
The advisory does not include a patch diff or vendor fix. The recommended remediation would be to properly escape or parameterize the `rooms` parameter before including it in SQL queries, or to migrate to prepared statements. Without an official patch, users should upgrade to a version newer than 6.0.7 or apply a WAF rule to block SQL injection patterns in the `rooms` field.
Preconditions
- configThe JHotelReservation component version 6.0.7 must be installed and the search-hotels endpoint must be accessible.
- authNo authentication required; the attacker can reach the endpoint over HTTP/HTTPS.
- networkThe attacker must be able to send POST requests to the vulnerable endpoint.
- inputThe attacker supplies a malicious `rooms` parameter containing SQL injection syntax.
Reproduction
Send a POST request to `/j-myhotel/search-hotels?view=hotels` with the body including `task=hotels.searchHotels` and a `rooms` parameter containing a UNION SELECT payload (e.g., the URL-encoded value from the exploit). The response will include the database version string if the injection succeeds [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46234mitreexploit
- www.vulncheck.com/advisories/joomla-jhotelreservation-sql-injection-via-search-hotelsmitrethird-party-advisory
- cmsjunkie.commitreproduct
- extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jhotelreservation/mitreproduct
News mentions
0No linked articles in our index yet.