CVE-2018-25330 HIGH

CVE-2018-25330: Joomla! EkRishta 2.10 Persistent XSS and SQL Injection

Vendor Joomlaextensions
Product Joomla! extension EkRishta
Weakness CWE-89 · SQLi
Published May 17, 2026
Last update May 18, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.

Explanation of Vulnerability in Simple Terms

02Summary

The EkRishta Joomla extension versions 2.10 and later contain a SQL injection vulnerability in an unspecified component. An attacker can send a crafted request over the network to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user credentials and site configuration.

What an attacker can do

03Attacker Capabilities

Execute arbitrary SQL queries to read, modify, or delete database contents without authentication.

Potential impact on your site

04Site Impact

Attackers can steal user passwords, modify site content, or disable the site by corrupting the database.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 17, 2026 CVE published
May 18, 2026 Record updated

Related vulnerabilities

08Related CVE