CVE-2023-54364

MEDIUM

Joomla HikaShop 4.7.4 Reflected XSS via Product Filter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54364. PoCs published by CraCkEr.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in Joomla HikaShop 4.7.4 via multiple GET parameters ('from_option', 'from_ctrl', 'from_task', 'from_itemid'). The provided payload triggers an alert when injected into the vulnerable parameters.

Description

Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.

Exploits (1)

exploitdb WORKING POC
by CraCkEr · textwebappsphp
https://www.exploit-db.com/exploits/51629

The exploit demonstrates a reflected XSS vulnerability in Joomla HikaShop 4.7.4 via multiple GET parameters ('from_option', 'from_ctrl', 'from_task', 'from_itemid'). The provided payload triggers an alert when injected into the vulnerable parameters.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Joomla HikaShop 4.7.4
No auth needed
Prerequisites: Victim must click a crafted URL
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (4)

Core 4
Core References
Product product
Official Product Homepage
https://www.hikashop.com/
Product product
Product Reference
https://demo.hikashop.com/index.php/en/
Exploit exploit
ExploitDB-51629
https://www.exploit-db.com/exploits/51629
Third Party Advisory third-party-advisory
VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter
https://www.vulncheck.com/advisories/joomla-hikashop-reflected-xss-via-product-filter

Scores

CVSS v3 6.1
EPSS 0.0023
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Hikashop/Joomla HikaShop 4.7.4
Published Apr 09, 2026
Tracked Since Apr 10, 2026