Joomla! EkRishta XSS and SQLi Flaws Pose High Risk (CVE-2018-25330)

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
Joomla! EkRishta XSS and SQLi Flaws Pose High Risk (CVE-2018-25330)

The National Vulnerability Database highlights CVE-2018-25330, a high-severity vulnerability affecting the Joomla! EkRishta extension version 2.10. This flaw exposes systems to persistent cross-site scripting (XSS) and SQL injection attacks, rated with a CVSS score of 8.2 (HIGH). Attackers can exploit these vulnerabilities by injecting malicious code into user profile fields, such as the address, which then executes when other users view the compromised profile.

Further, the National Vulnerability Database indicates that SQL injection payloads can be submitted via the phone_no parameter to the user_setting endpoint. This allows attackers to manipulate database queries directly, potentially leading to data exfiltration, modification, or even full database compromise. The root cause is identified as CWE-89, a common vulnerability type related to improper neutralization of special elements used in an SQL command.

While specific affected products beyond the EkRishta extension are not detailed by the National Vulnerability Database, organizations utilizing this Joomla! component are at significant risk. The ease of exploitation (network-based with no privileges required) combined with the potential for high impact on confidentiality and low impact on integrity makes this a critical flaw that needs immediate attention from defenders.

What This Means For You

  • If your organization uses the Joomla! EkRishta extension, particularly version 2.10, you are exposed. Attackers can inject malicious scripts and manipulate your database. Audit your Joomla! installations immediately to identify any instances of EkRishta 2.10. If found, remove or update the extension to a patched version to mitigate persistent XSS and SQL injection risks.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Joomla EkRishta SQL Injection via phone_no parameter - CVE-2018-25330

Sigma YAML — free preview 
title: Joomla EkRishta SQL Injection via phone_no parameter - CVE-2018-25330
id: scw-2026-05-17-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit the SQL injection vulnerability in Joomla! EkRishta extension (CVE-2018-25330) by sending a POST request to the user_setting endpoint with a crafted phone_no parameter containing SQL injection payloads like '1=1'.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25330/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/user_setting'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'phone_no='
      cs-uri-query|contains:
          - '1=1' 
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25330 XSS Joomla! extension EkRishta 2.10 - persistent cross-site scripting via profile information fields (e.g., Address)
CVE-2018-25330 SQLi Joomla! extension EkRishta 2.10 - SQL injection via POST parameter 'phone_no' to 'user_setting' endpoint

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 17, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma