CVE-2025-54298 CRITICAL

CVE-2025-54298: Extension - firecoders.com - Stored XSS vulnerability in CommentBox component 1.0.0-1.1.0 for Joomla

Vendor Firecoders.com
Product CommentBox component for Joomla
Weakness CWE-79 · XSS
Published July 28, 2025
Last update July 31, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A stored XSS vulnerability in CommentBox component 1.0.0-1.1.0 for Joomla was discovered.

Explanation of Vulnerability in Simple Terms

02Summary

The CommentBox component for Joomla contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into comments. An attacker can craft a comment containing JavaScript code that executes in the browsers of other users viewing the comments. This requires user interaction—the victim must view the affected comment. The vulnerability affects versions 1.0.0 through 1.1.0.

What an attacker can do

03Attacker Capabilities

Inject JavaScript code that runs in other users' browsers when they view comments.

Potential impact on your site

04Site Impact

Attackers can steal session cookies, redirect users, or deface comment sections without needing admin access.

Conditions required to exploit

05Prerequisites

Network access to the Joomla site; victim must view a comment containing the malicious payload.

Key dates

06Disclosure timeline

July 28, 2025 CVE published
July 31, 2025 Record updated

Related vulnerabilities

08Related CVE