CVE-2018-25380

HIGH

Joomla Component eXtroForms 2.1.5 SQL Injection via filter parameters

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25380. PoCs published by AkkuS.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in Joomla's eXtroForms component (version 2.1.5) via the 'filter_type_id', 'filter_pid_id', and 'filter_search' POST parameters. It includes multiple payloads for boolean-based blind, error-based, and time-based blind SQLi attacks.

Description

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.

Exploits (1)

exploitdb WORKING POC

by AkkuS · textwebappsphp

https://www.exploit-db.com/exploits/45472

View Code ZIP pw:eip

This exploit demonstrates SQL injection vulnerabilities in Joomla's eXtroForms component (version 2.1.5) via the 'filter_type_id', 'filter_pid_id', and 'filter_search' POST parameters. It includes multiple payloads for boolean-based blind, error-based, and time-based blind SQLi attacks.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Joomla eXtroForms 2.1.5

Auth required

Prerequisites: Authenticated access to the Joomla administrator panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 25, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45472

https://www.exploit-db.com/exploits/45472

Product product

Official Product Homepage

https://extro.media/

Product product

Product Reference

https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/extroforms/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Joomla Component eXtroForms 2.1.5 SQL Injection via filter parameters

https://www.vulncheck.com/advisories/joomla-component-extroforms-sql-injection-via-filter-parameters

Scores

CVSS v3 7.1

EPSS 0.0028

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Extro/eXtroForms 2.1.5

Published May 25, 2026

Tracked Since May 25, 2026