CVE-2020-13996

HIGH

J2Store < 3.3.13 - Authenticated SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13996. PoCs published by mkelepce.

AI-analyzed exploit summary This repository contains a proof-of-concept for an authenticated SQL injection vulnerability in Joomla J2 Store 3.3.11. The exploit targets the 'filter_order_Dir' and 'filter_order' parameters in the products.php file, allowing an attacker to inject malicious SQL queries.

Description

The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager.

Exploits (1)

nomisec WORKING POC

by mkelepce · poc

https://github.com/mkelepce/CVE-2020-13996

View Code ZIP pw:eip

This repository contains a proof-of-concept for an authenticated SQL injection vulnerability in Joomla J2 Store 3.3.11. The exploit targets the 'filter_order_Dir' and 'filter_order' parameters in the products.php file, allowing an attacker to inject malicious SQL queries.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Joomla J2 Store 3.3.11

Auth required

Prerequisites: Authenticated access to the Joomla administrator panel

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html

Release Notes, Vendor Advisory x_refsource_misc

https://www.j2store.org/resources/change-log.html

Scores

CVSS v3 8.8

EPSS 0.0134

EPSS Percentile 67.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

j2store/j2store < 3.3.13

Published Jun 09, 2020

Tracked Since Feb 18, 2026