CVE-2025-49485 HIGH

CVE-2025-49485: Extension - balbooa.com - SQL injection in Balbooa Forms component version 1.0.0 - 2.3.1.1 for Joomla

Vendor Balbooa.com
Product Balbooa Forms component for Joomla
Weakness CWE-89 · SQLi
Published July 18, 2025
Last update July 20, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter.

Explanation of Vulnerability in Simple Terms

02Summary

The Balbooa Forms component for Joomla contains a SQL injection vulnerability in versions up to 2.3.1.1. An attacker with high-level administrative privileges can inject malicious SQL code through form input fields, potentially reading or modifying the site database. This vulnerability requires authenticated access and does not affect confidentiality, integrity, or availability of the broader system.

What an attacker can do

03Attacker Capabilities

Execute arbitrary SQL queries against the Joomla database to read or modify data.

Potential impact on your site

04Site Impact

A compromised admin account could be used to extract or alter sensitive site data via the form component.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative access to the Joomla site.

Key dates

06Disclosure timeline

July 18, 2025 CVE published
July 20, 2025 Record updated