CVE-2019-25757
Received Received - Intake
SQL Injection in Joomla vWishlist Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2019-25757
EUVD
EUVD-2019-20193
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joomla vwishlist 1.0.1
joomla vwishlist 3.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25757 is a SQL injection vulnerability in Joomla vWishlist version 1.0.1. It allows authenticated attackers to inject malicious SQL code through the vproductid and userid parameters by sending crafted POST requests. This injection enables attackers to manipulate SQL queries executed by the application.

Successful exploitation can cause the application to reveal sensitive database information such as database names and versions.

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to execute arbitrary SQL commands on your Joomla vWishlist database.

  • Extraction of sensitive database information including database names and versions.
  • Potential unauthorized access to or manipulation of stored data related to wishlist items.

Such unauthorized access can lead to data breaches, loss of data integrity, and exposure of confidential information.

Detection Guidance

This SQL injection vulnerability in Joomla vWishlist 1.0.1 can be detected by monitoring for crafted HTTP POST requests targeting the vproductid and userid parameters with malicious SQL payloads.

One method to detect exploitation attempts is to analyze web server logs for unusual POST requests containing SQL syntax or payloads in these parameters.

Additionally, sending test POST requests with SQL injection payloads to these parameters and observing the server response for errors such as XPath syntax errors can help confirm the vulnerability.

  • Use tools like curl or Burp Suite to send crafted POST requests to the vulnerable endpoints, for example:
  • curl -X POST -d "vproductid=1' OR '1'='1&userid=1" http://target-site.com/path-to-vwishlist
  • Check server responses for SQL errors or unexpected data leakage.
  • Monitor web application firewall (WAF) logs or intrusion detection systems (IDS) for alerts related to SQL injection attempts on these parameters.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable Joomla vWishlist 1.0.1 component to only trusted authenticated users.

Users should update the vWishlist extension to the latest patched version if available.

If no update is available, consider disabling or removing the vWishlist extension to prevent exploitation.

Implement web application firewall (WAF) rules to block SQL injection attempts targeting the vproductid and userid parameters.

Review and harden input validation and parameter sanitization in the application to prevent injection of malicious SQL code.

Compliance Impact

The SQL injection vulnerability in Joomla vWishlist 1.0.1 allows attackers to extract sensitive database information, including database names and versions, by injecting malicious SQL code through specific parameters.

Such unauthorized access to sensitive data can lead to data breaches, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential exposure or compromise of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart