What the vulnerability does
01Description
Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.
Explanation of Vulnerability in Simple Terms
02Summary
The EkRishta Joomla extension versions 2.10 and later contain a SQL injection vulnerability in an unspecified component. An attacker can send a crafted request over the network to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user credentials and site configuration.
What an attacker can do
03Attacker Capabilities
Execute arbitrary SQL queries to read, modify, or delete database contents without authentication.
Potential impact on your site
04Site Impact
Attackers can steal user passwords, modify site content, or disable the site by corrupting the database.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 17, 2026
CVE published
May 18, 2026
Record updated