CVE-2020-37218

HIGH

Joomla com_hdwplayer 4.2 SQL Injection via search.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37218. PoCs published by qw3rTyTy.

AI-analyzed exploit summary The exploit details a SQL injection vulnerability in Joomla! com_hdwplayer 4.2, specifically in the 'search.php' file where user input is directly interpolated into a SQL query without sanitization. The PoC uses sqlmap to demonstrate the vulnerability, but the core of the submission is a technical analysis of the vulnerable code.

Description

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.

Exploits (1)

exploitdb WRITEUP

by qw3rTyTy · textwebappsphp

https://www.exploit-db.com/exploits/48242

View Code ZIP pw:eip

The exploit details a SQL injection vulnerability in Joomla! com_hdwplayer 4.2, specifically in the 'search.php' file where user input is directly interpolated into a SQL query without sanitization. The PoC uses sqlmap to demonstrate the vulnerability, but the core of the submission is a technical analysis of the vulnerable code.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Joomla! com_hdwplayer 4.2

No auth needed

Prerequisites: Joomla! with com_hdwplayer 4.2 installed · Access to the search functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 13, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-48242

https://www.exploit-db.com/exploits/48242

Product product

Official Product Homepage

https://www.hdwplayer.com/

Product product

Product Reference

https://www.hdwplayer.com/download/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Joomla com_hdwplayer 4.2 SQL Injection via search.php

https://www.vulncheck.com/advisories/joomla-com-hdwplayer-sql-injection-via-search-php

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Hdwplayer/com_hdwplayer 4.2

Published May 13, 2026

Tracked Since May 13, 2026