CVE-2018-25433

HIGH

Joomla Component JE Photo Gallery 1.1 - Unauthenticated SQL Injection via categoryid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25433. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This Perl script exploits a SQL injection vulnerability in Joomla! Component JE Photo Gallery 1.1 by sending a crafted HTTP request to fetch user credentials. The exploit uses URL-encoded SQL payloads to extract data from the database.

Description

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted categoryid values in the com_jephotogallery component to execute arbitrary SQL queries and retrieve sensitive data like usernames and password hashes.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · perlwebappsphp
https://www.exploit-db.com/exploits/45930

This Perl script exploits a SQL injection vulnerability in Joomla! Component JE Photo Gallery 1.1 by sending a crafted HTTP request to fetch user credentials. The exploit uses URL-encoded SQL payloads to extract data from the database.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Joomla! Component JE Photo Gallery 1.1
No auth needed
Prerequisites: Target URL with vulnerable Joomla component
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.2
EPSS 0.0009
EPSS Percentile 25.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Joomlaextensions/JE Photo Gallery 1.1
Published Jun 01, 2026
Tracked Since Jun 02, 2026