Home

Description

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.

PUBLISHED Reserved 2026-05-17 | Published 2026-05-17 | Updated 2026-05-18 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

2.10
affected

Credits

Sina Kheirkhah || (Sina.For.Sec@gmail.com) finder

References

www.exploit-db.com/exploits/44660 (ExploitDB-44660) exploit

www.joomlaextensions.co.in/ (Official Product Homepage) product

extensions.joomla.org/...g/dating-a-relationships/ek-rishta/ (Product Reference) product

www.vulncheck.com/...rishta-persistent-xss-and-sql-injection (VulnCheck Advisory: Joomla! EkRishta 2.10 Persistent XSS and SQL Injection) third-party-advisory

cve.org (CVE-2018-25330)

nvd.nist.gov (CVE-2018-25330)

Download JSON