Joomla J-MultipleHotelReservation 6.0.7 SQL Injection
Description
Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotel_id parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL UNION SELECT statements to extract sensitive database information including table names and column data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=6.0.7
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the hotel_id parameter allows unauthenticated SQL injection via UNION SELECT statements."
Attack vector
An unauthenticated attacker sends a POST request to the `search-hotels` endpoint with a crafted `hotel_id` parameter containing a `UNION SELECT` payload. The payload is URL-encoded in the exploit but decodes to a stacked SQL injection that enumerates database schema information. Because the component fails to sanitize the `hotel_id` input before incorporating it into a SQL query, the attacker can extract table names and column data from the underlying database. The exploit targets the `controller=search&task=searchHotels` action and requires no prior authentication or special privileges [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff. Remediation would require the component to properly sanitize or parameterize the `hotel_id` input before using it in SQL queries, preventing injection of arbitrary UNION SELECT statements.
Preconditions
- configThe Joomla J-MultipleHotelReservation component version 6.0.7 must be installed and the search-hotels endpoint must be accessible over HTTP.
- authNo authentication is required; the attacker can send the POST request without any session or credentials.
- networkThe attacker must be able to reach the web server hosting the vulnerable Joomla instance over the network.
- inputThe attacker supplies a malicious hotel_id parameter containing SQL UNION SELECT syntax via a POST request.
Reproduction
Send a POST request to `http://TARGET/[PATH]/j-myhotel/search-hotels?view=hotels` with body `controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=-1 UNION SELECT 1,...` (the full UNION SELECT payload is provided in the exploit). The server returns a 200 OK response containing extracted database information [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46232mitreexploit
- www.vulncheck.com/advisories/joomla-j-multiplehotelreservation-sql-injectionmitrethird-party-advisory
- cmsjunkie.commitreproduct
- extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/mitreproduct
News mentions
0No linked articles in our index yet.