CVE-2017-20274
Received Received - Intake
SQL Injection in Joomla LMS King Professional

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Attackers can send GET requests to index.php with the option=com_lmsking, view=lmsking, layout=learningpath, and task=learningPath parameters to extract sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2017-20274
EUVD
EUVD-2017-19001
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joomla_lms_king professional 3.2.4.0
king_products joomla_lms_king_professional 3.2.4.0
king_products joomla_lms_king_professional to 3.2.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in Joomla LMS King Professional 3.2.4.0 allows unauthenticated attackers to extract sensitive database information. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to access or manipulate sensitive data without authorization, the vulnerability increases the risk of data breaches, which are subject to regulatory reporting requirements and penalties under these standards.

Executive Summary

Joomla LMS King Professional version 3.2.4.0 contains a high-severity SQL injection vulnerability identified as CVE-2017-20274. This flaw allows unauthenticated attackers to inject malicious SQL code through the 'cp_id' parameter in a specially crafted GET request to the index.php file with specific parameters (option=com_lmsking, view=lmsking, layout=learningpath, task=learningPath).

By exploiting this vulnerability, attackers can manipulate database queries and extract sensitive information from the database without needing any authentication.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to gain unauthorized access to sensitive database information. Since the attack requires no authentication, it poses a high risk of data exposure.

Attackers can manipulate database queries, potentially leading to data theft, unauthorized data disclosure, and compromise of the integrity of the affected system's data.

Detection Guidance

This SQL injection vulnerability can be detected by monitoring for suspicious GET requests targeting the vulnerable Joomla LMS King Professional component. Specifically, look for HTTP requests to 'index.php' with the parameters option=com_lmsking, view=lmsking, layout=learningpath, and task=learningPath, especially those including unusual or malicious input in the 'cp_id' parameter.

A practical detection method is to use network traffic inspection or web server logs to identify such requests. For example, using command-line tools like grep on web server logs:

  • grep "option=com_lmsking&view=lmsking&layout=learningpath&task=learningPath" /path/to/access.log
  • grep "cp_id=" /path/to/access.log

Additionally, tools like curl can be used to test the vulnerability by sending crafted GET requests with SQL injection payloads in the cp_id parameter to see if the server responds with database errors or unexpected data.

Mitigation Strategies

Immediate mitigation steps include restricting or blocking access to the vulnerable component by filtering or blocking HTTP requests containing the parameters option=com_lmsking, view=lmsking, layout=learningpath, and task=learningPath, especially those with the cp_id parameter.

Applying security patches or updating Joomla LMS King Professional to a version that fixes this SQL injection vulnerability is critical.

If patching is not immediately possible, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the cp_id parameter.

Also, review and harden database permissions to limit the impact of any potential exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2017-20274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart