CVE-2019-9184

CRITICAL LAB

J2Store 3.3.0-3.3.6 - SQL Injection via product_option[] Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-9184. PoCs published by Andrei Conache, cved-sources.

AI-analyzed exploit summary This is a writeup describing a SQL injection vulnerability in the J2Store Plugin for Joomla! versions prior to 3.3.6. The vulnerability allows arbitrary SQL queries via the 'product_option[j]' parameter.

Description

SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Andrei Conache · textwebappsphp

https://www.exploit-db.com/exploits/46467

View Code ZIP pw:eip

This is a writeup describing a SQL injection vulnerability in the J2Store Plugin for Joomla! versions prior to 3.3.6. The vulnerability allows arbitrary SQL queries via the 'product_option[j]' parameter.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: J2Store Plugin for Joomla! < 3.3.6

No auth needed

Prerequisites: Access to the vulnerable Joomla! instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2019-9184

View Code ZIP pw:eip

This repository provides a Docker container setup for CVE-2019-9184, a vulnerability in Joomla with the J2Store extension. The script initializes a MySQL database, installs Joomla with the vulnerable extension, and starts Apache to expose the vulnerable environment.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Joomla with J2Store extension v3.3.6

No auth needed

Prerequisites: Docker environment · Joomla installation with J2Store extension v3.3.6

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46467/

Patch, Vendor Advisory x_refsource_misc

https://www.j2store.org/blog/general/security-update-for-j2store.html

Third Party Advisory x_refsource_misc

https://andreiconache.me/j2store-plugin-3-3-6-sql-injection/

Scores

CVSS v3 9.8

EPSS 0.0898

EPSS Percentile 94.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-joomla

https://github.com/cved-sources/cve-2019-9184

View in Library

Details

CWE

CWE-89

Status published

Products (1)

j2store/j2store 3.3.0 - 3.3.7

Published Feb 26, 2019

Tracked Since Feb 18, 2026