CVE-2021-47930

HIGH

Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47930. PoCs published by blockomat2100.

AI-analyzed exploit summary This is a functional SQL injection exploit for Balbooa Joomla Forms Builder 2.0.6, demonstrating an unauthenticated attack via a crafted multipart/form-data POST request. The exploit injects SQL payloads into the 'id' field of the JSON data submitted to the vulnerable endpoint.

Description

Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by blockomat2100 · textwebappsphp

https://www.exploit-db.com/exploits/50447

View Code ZIP pw:eip

This is a functional SQL injection exploit for Balbooa Joomla Forms Builder 2.0.6, demonstrating an unauthenticated attack via a crafted multipart/form-data POST request. The exploit injects SQL payloads into the 'id' field of the JSON data submitted to the vulnerable endpoint.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Balbooa Joomla Forms Builder 2.0.6

No auth needed

Prerequisites: Joomla with Balbooa Forms Builder 2.0.6 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50447

https://www.exploit-db.com/exploits/50447

Product product

Official Product Homepage

https://www.balbooa.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated

https://www.vulncheck.com/advisories/balbooa-joomla-forms-builder-sql-injection-unauthenticated

Scores

CVSS v3 8.2

EPSS 0.0031

EPSS Percentile 22.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Balbooa/Balbooa Joomla Forms Builder 2.0.6

Published May 10, 2026

Tracked Since May 10, 2026