Unrated severityNVD Advisory· Published Jun 19, 2026

Joomla! Component Easy Shop 1.2.3 Local File Inclusion

CVE-2019-25760

Description

Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Joomla/Easy Shopllm-create
Range: =1.2.3

Patches

Vulnerability mechanics

Root cause

"The `ajax.loadImage` task in Easy Shop 1.2.3 does not validate or sanitize the base64-decoded file path, enabling directory traversal."

Attack vector

An unauthenticated attacker sends a GET request to `index.php` with `option=com_easyshop`, `task=ajax.loadImage`, and a base64-encoded file path in the `file` parameter. The component reads the decoded path without validating it, allowing directory traversal to read arbitrary files such as `configuration.php` or `/etc/passwd` [ref_id=1]. No authentication or prior knowledge is required beyond the Joomla base path.

What the fix does

The advisory does not include a patch or vendor fix. The vulnerability exists because the `ajax.loadImage` task accepts a user-supplied base64-encoded `file` parameter and includes it without sanitization or path restriction [ref_id=1]. Remediation would require validating that the decoded path falls within an allowed directory and rejecting traversal sequences.

Preconditions

configThe Joomla instance must have the Easy Shop 1.2.3 component installed and enabled.
authNo authentication is required; the endpoint is publicly accessible.
networkAttacker must be able to send HTTP GET requests to the Joomla index.php.
inputThe file parameter must contain a base64-encoded path with directory traversal sequences.

Reproduction

Send a GET request to `http://localhost/[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vY29uZmlndXJhdGlvbi5waHA=` (which decodes to `../../configuration.php`). The server responds with the contents of the requested file [ref_id=1].

Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.exploit-db.com/exploits/46219mitreexploit
www.vulncheck.com/advisories/joomla-component-easy-shop-local-file-inclusionmitrethird-party-advisory
extensions.joomla.org/extensions/extension/e-commerce/shopping-cart/easy-shop/mitreproduct
joomtech.netmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000