CVE-2019-25756

Received Received - Intake

SQL Injection in Joomla vAccount Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component vAccount 2.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vid parameter. Attackers can send GET requests to the vaccount-dashboard/expense endpoint with crafted SQL payloads in the vid parameter to extract sensitive database information including version and database names.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2019-25756

EUVD

EUVD-2019-20192

Affected Vendors & Products

Vendor	Product	Version / Range
wdmtech	vaccount	2.0.2
wdmtech	vaccount	to 2.0.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2019-25756 is a high-severity SQL injection vulnerability found in Joomla! Component vAccount version 2.0.2 and earlier. It allows unauthenticated attackers to inject malicious SQL code through the 'vid' parameter in the vaccount-dashboard/expense endpoint.

By exploiting this vulnerability, attackers can execute arbitrary SQL queries on the backend database, enabling them to extract sensitive information such as database version and database names.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can extract critical data such as database version and names without any authentication.

Such unauthorized data extraction can lead to further attacks, data breaches, and compromise of the integrity and confidentiality of your financial and transactional data managed by the vAccount Joomla extension.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the vaccount-dashboard/expense endpoint with malicious SQL payloads in the 'vid' parameter and observing the responses for signs of SQL injection, such as database version or names being returned.

A practical detection method involves using tools like curl or wget to send requests with SQL injection payloads to the vulnerable parameter. For example:

curl -v "http://<target>/vaccount-dashboard/expense?vid=1' UNION SELECT @@version--"
curl -v "http://<target>/vaccount-dashboard/expense?vid=1' OR '1'='1"

If the response contains database version information or other unexpected data, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

Restrict or block access to the vaccount-dashboard/expense endpoint to prevent unauthenticated requests.
Apply input validation and sanitization on the 'vid' parameter to prevent SQL injection.
Update the Joomla! vAccount component to a version where this vulnerability is fixed, if available.
Use web application firewalls (WAF) to detect and block malicious SQL injection attempts targeting this endpoint.

Since the vulnerability allows unauthenticated attackers to execute arbitrary SQL queries, immediate access control and patching are critical.

Compliance Impact

The SQL injection vulnerability in Joomla! Component vAccount 2.0.2 allows unauthenticated attackers to extract sensitive database information by executing arbitrary SQL queries. This exposure of sensitive data can lead to unauthorized access to personal or financial information managed by the extension.

Such unauthorized data access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised confidentiality and integrity of sensitive information.

Hi! I’m here to help you understand CVE-2019-25756. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25756

SQL Injection in Joomla vAccount Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart