Home

Description

SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-03 | Updated 2025-10-03 | Assigner INCIBE




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

2.0.4j3
affected

Credits

Andrea Serrano Urea finder

References

www.incibe.es/...aviso/sql-injection-modvvisitcounter-module

cve.org (CVE-2025-40636)

nvd.nist.gov (CVE-2025-40636)

Download JSON