CVE-2025-40636 CRITICAL

CVE-2025-40636: SQL injection in the mod_vvisit_counter module

Vendor Mod_Vvisit_Counter
Product mod_vvisit_counter
Weakness CWE-89 · SQLi
Published October 3, 2025
Last update October 3, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.

Explanation of Vulnerability in Simple Terms

02Summary

mod_vvisit_counter version 2.0.4j3 contains a SQL injection vulnerability that allows unauthenticated attackers to query or modify the site's database. The flaw exists in how user input is processed without proper sanitization. An attacker can extract sensitive data, alter records, or potentially gain further access to the site.

What an attacker can do

03Attacker Capabilities

Query, read, or modify the site database without authentication.

Potential impact on your site

04Site Impact

Database contents (user data, posts, settings) can be read or altered by remote attackers.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable module; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 3, 2025 CVE published
October 3, 2025 Record updated