CVE-2025-2126

MEDIUM

JoomlaUX JUX Real Estate 3.4.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-2126. PoCs published by CraCkEr.

AI-analyzed exploit summary This exploit demonstrates a time-based blind SQL injection vulnerability in JUX Real Estate 3.4.0 via the 'title' GET parameter. The provided payload uses a SLEEP function to confirm the vulnerability, allowing unauthorized database access.

Description

A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla and classified as critical. This issue affects some unknown processing of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties of the component GET Parameter Handler. The manipulation of the argument title leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

exploitdb WORKING POC
by CraCkEr · textwebappsphp
https://www.exploit-db.com/exploits/52089

This exploit demonstrates a time-based blind SQL injection vulnerability in JUX Real Estate 3.4.0 via the 'title' GET parameter. The provided payload uses a SLEEP function to confirm the vulnerability, allowing unauthorized database access.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: JUX Real Estate 3.4.0 (Joomla extension)
No auth needed
Prerequisites: Access to the vulnerable endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.299039
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.299039
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.509884

Scores

CVSS v3 6.3
EPSS 0.0124
EPSS Percentile 79.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-74 CWE-89
Status published
Products (1)
joomlaux/jux_real_estate 3.4.0
Published Mar 09, 2025
Tracked Since Feb 18, 2026