CVE-2021-47930: Unauthenticated SQLi in Balbooa Joomla Forms Builder

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
CVE-2021-47930: Unauthenticated SQLi in Balbooa Joomla Forms Builder

The National Vulnerability Database has detailed CVE-2021-47930, an unauthenticated SQL injection vulnerability in Balbooa Joomla Forms Builder version 2.0.6. This flaw, rated 8.2 (HIGH) on the CVSS scale, allows remote attackers to execute arbitrary SQL queries by manipulating the form submission handler.

Attackers can exploit this by sending crafted POST requests to the com_baforms component. Malicious JSON payloads injected into the ‘id’ field parameter enable the extraction of sensitive database information. This is a direct path to data exfiltration and potential system compromise.

For defenders, this means any Joomla installations running the affected Balbooa Forms Builder are exposed. The unauthenticated nature of this vulnerability significantly lowers the bar for exploitation, making it a prime target for opportunistic attackers. Patches or immediate mitigation are critical to prevent unauthorized access to backend databases.

What This Means For You

  • If your organization uses Balbooa Joomla Forms Builder, specifically version 2.0.6, you are directly exposed to unauthenticated SQL injection. This is not a theoretical risk; attackers can extract sensitive database information with minimal effort. Prioritize patching or disable the component immediately if you cannot update. Audit logs for suspicious POST requests to `/com_baforms`.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2021-47930: Balbooa Forms Builder Unauthenticated SQLi Attempt

Sigma YAML — free preview 
title: CVE-2021-47930: Balbooa Forms Builder Unauthenticated SQLi Attempt
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2021-47930, an unauthenticated SQL injection vulnerability in Balbooa Joomla Forms Builder. Attackers send POST requests to the 'com_baforms' component with a malicious 'id' parameter containing JSON, which is then processed by the form submission handler, leading to SQL injection. This rule specifically looks for the vulnerable component path and the presence of the 'id=' parameter in the query string, which are key indicators of this exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47930/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/components/com_baforms/'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'id='
      # The 'id' parameter is expected to contain JSON, and the SQLi targets a specific key within that JSON.
      # While we can't directly inspect JSON content with these fields, the presence of 'id=' in the query string
      # combined with the component path is a strong indicator for this specific vulnerability.
      # A more advanced rule might look for specific SQL syntax within the 'id' parameter if the log source supported it.
  selection_condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47930 SQLi Balbooa Joomla Forms Builder version 2.0.6
CVE-2021-47930 SQLi Unauthenticated SQL injection in form submission handler
CVE-2021-47930 SQLi POST request to com_baforms component with malicious JSON in 'id' field parameter

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma