CVE-2013-1453

Joomla! 2.5.x-3.0.2 - PHP Object Injection via Highlight Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1453. PoCs published by EgiX.

AI-analyzed exploit summary This is a vulnerability writeup describing a PHP object injection vulnerability in Joomla! versions 3.0.2 and earlier, as well as 2.5.8 and earlier. The vulnerability arises from improper sanitization of user input in the 'highlight' parameter, leading to arbitrary PHP object injection.

Description

plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight parameter. Note: it was originally reported that this issue only allowed attackers to obtain sensitive information, but later analysis demonstrated that other attacks exist.

Exploits (1)

exploitdb WRITEUP VERIFIED
by EgiX · textwebappsphp
https://www.exploit-db.com/exploits/24551

This is a vulnerability writeup describing a PHP object injection vulnerability in Joomla! versions 3.0.2 and earlier, as well as 2.5.8 and earlier. The vulnerability arises from improper sanitization of user input in the 'highlight' parameter, leading to arbitrary PHP object injection.

Classification
Writeup 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Joomla! <= 3.0.2, Joomla! <= 2.5.8
No auth needed
Prerequisites: System Highlight plugin enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

EPSS 0.0315
EPSS Percentile 86.3%

Details

Status published
Products (12)
joomla/joomla\! 2.5.0
joomla/joomla\! 2.5.1
joomla/joomla\! 2.5.2
joomla/joomla\! 2.5.3
joomla/joomla\! 2.5.4
joomla/joomla\! 2.5.5
joomla/joomla\! 2.5.6
joomla/joomla\! 2.5.7
joomla/joomla\! 2.5.8
joomla/joomla\! 3.0.0
... and 2 more
Published Feb 13, 2013
Tracked Since Feb 18, 2026