CVE-2019-25750

HIGH

Joomla J-MultipleHotelReservation 6.0.7 SQL Injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25750. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This is a functional SQL injection exploit for Joomla! Component J-MultipleHotelReservation 6.0.7. The exploit demonstrates a UNION-based SQL injection via the 'rooms' parameter in a POST request, allowing an attacker to extract sensitive data from the database.

Description

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotel_id parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL UNION SELECT statements to extract sensitive database information including table names and column data.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/46232

View Code ZIP pw:eip

This is a functional SQL injection exploit for Joomla! Component J-MultipleHotelReservation 6.0.7. The exploit demonstrates a UNION-based SQL injection via the 'rooms' parameter in a POST request, allowing an attacker to extract sensitive data from the database.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Joomla! Component J-MultipleHotelReservation 6.0.7

No auth needed

Prerequisites: Access to the target Joomla! installation with the vulnerable component installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-46232

https://www.exploit-db.com/exploits/46232

Product product

Official Product Homepage

http://cmsjunkie.com/

Product product

Product Reference

https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Joomla J-MultipleHotelReservation 6.0.7 SQL Injection

https://www.vulncheck.com/advisories/joomla-j-multiplehotelreservation-sql-injection

Scores

CVSS v3 8.2

EPSS 0.0037

EPSS Percentile 28.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Cmsjunkie/MultipleHotelReservation 6.0.7

Published Jun 19, 2026

Tracked Since Jun 19, 2026