CVE-2025-49485
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| balbooa | joomla_forms | 2.3.1.2 |
| joomla | joomla | * |
| balbooa | joomla_forms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49485 is a SQL injection vulnerability in the Balbooa Forms plugin for Joomla (versions 1.0.0 to 2.3.1.1) that allows privileged users to execute arbitrary SQL commands via the 'id' parameter. Additionally, the vulnerability relates to the payment processing functionality, specifically with Stripe payments, where if a Stripe payment fails, the system still sends a payment confirmation email to the payee. This can cause missed payments and financial discrepancies, undermining the reliability of payment confirmations. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing privileged users to execute arbitrary SQL commands, potentially compromising the database integrity and security. Moreover, the payment confirmation flaw can lead to financial discrepancies, such as sending confirmation emails for failed Stripe payments, which may cause confusion, missed payments, or fraud risks in your Joomla-based website using the Balbooa Forms extension. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Balbooa Joomla Forms plugin to the latest version (2.3.1.2 or later) where the issue with payment confirmation emails on failed Stripe payments has been addressed. Additionally, review your payment confirmation workflows to ensure that confirmation emails are only sent after successful payment verification. Consider temporarily disabling payment confirmation emails until the update is applied to prevent financial discrepancies. [1]