CVE-2019-25755

Received Received - Intake

SQL Injection in Joomla vReview Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION statements in the cmId parameter to extract database information including usernames, passwords, and database versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2019-25755

EUVD

EUVD-2019-20191

Affected Vendors & Products

Vendor	Product	Version / Range
wdmtech	vreview	1.9.11
wdmtech	vreview	to 2.5.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2019-25755 is a SQL injection vulnerability in Joomla Component vReview version 1.9.11. It allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter in POST requests to the editReview task endpoint.

Attackers can send URL-encoded SQL UNION statements via this parameter to extract sensitive database information such as usernames, passwords, and database versions.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access to sensitive database information like usernames and passwords.

Because attackers can execute arbitrary SQL commands without authentication, they can potentially compromise the integrity and confidentiality of the database.

Detection Guidance

This SQL injection vulnerability can be detected by sending crafted HTTP POST requests to the editReview task endpoint of the Joomla vReview component, specifically targeting the cmId parameter with URL-encoded SQL UNION statements.

Proof-of-concept exploits involve sending malicious input via the cmId parameter in POST requests to check if arbitrary SQL commands can be executed.

Use curl or similar tools to send a POST request with a payload in the cmId parameter containing SQL injection code, for example:
curl -X POST -d "task=editReview&cmId=1%20UNION%20SELECT%20user(),database(),version()--" http://target-site/path/to/component

If the response contains database information such as usernames or version details, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating the Joomla vReview component to the latest version that addresses this vulnerability.

If an update is not immediately available, restrict access to the vulnerable endpoints by implementing web application firewall (WAF) rules to block malicious POST requests targeting the cmId parameter.

Additionally, monitor and analyze incoming traffic for suspicious SQL injection patterns and consider disabling or removing the vulnerable vReview component until a patch is applied.

Compliance Impact

The SQL injection vulnerability in Joomla Component vReview 1.9.11 allows unauthenticated attackers to extract sensitive database information such as usernames and passwords. This exposure of sensitive personal and authentication data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access.

Because attackers can access confidential user data through this vulnerability, organizations using the affected software may face increased risk of data breaches, potentially resulting in regulatory penalties and loss of trust.

Hi! I’m here to help you understand CVE-2019-25755. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25755

SQL Injection in Joomla vReview Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart