CVE-2018-25433: JE Photo Gallery SQL Injection Vulnerability in Joomla
The JE Photo Gallery component for Joomla version 1.1 contains a critical flaw that allows attackers to inject malicious SQL commands without needing credentials. By manipulating a parameter in web requests, attackers can extract sensitive information directly from the database, including user credentials. This vulnerability requires no authentication or user interaction, making it particularly dangerous for websites using this component.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted categoryid values in the com_jephotogallery component to execute arbitrary SQL queries and retrieve sensitive data like usernames and password hashes.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25433 is an unauthenticated SQL injection vulnerability in the com_jephotogallery Joomla component version 1.1. The vulnerability exists in the handling of the categoryid parameter, which is not properly sanitized before being used in database queries. Attackers can craft malicious GET requests to index.php containing SQL code in the categoryid field, allowing them to execute arbitrary SQL statements. This enables data exfiltration of sensitive information such as usernames and password hashes from the Joomla database. The vulnerability is classified under CWE-89 (SQL Injection).
Business impact
Successful exploitation of this vulnerability can result in unauthorized access to sensitive business and user data stored in the Joomla database. Attackers can retrieve administrator credentials, user account details, and password hashes, potentially leading to account takeovers and further system compromise. For organizations running websites with this component, the exposure includes reputational damage, regulatory compliance violations, and potential liability for data breaches. The ease of exploitation means this vulnerability poses an immediate and ongoing risk if left unpatched.
Affected systems
This vulnerability specifically affects Joomla installations running the JE Photo Gallery component version 1.1. Any website using this component is potentially vulnerable to unauthenticated SQL injection attacks. The vulnerability can be exploited remotely without requiring the attacker to have prior system access or valid credentials, making the attack surface very broad for all internet-facing Joomla instances using this component.
Exploitability
This vulnerability has a high exploitability profile. The attack requires only network access and involves sending a simple HTTP GET request with crafted parameters—no authentication, no special user interaction, and no client-side complexity. The vulnerability can be discovered and exploited through basic web application scanning tools and manual testing. Given the straightforward nature of SQL injection attacks and the public nature of this CVE disclosure, widespread exploit development and automated scanning are likely or already occurring.
Remediation
Immediate action is required for any Joomla installation using the JE Photo Gallery component. The primary remediation is to remove or disable the vulnerable component until a patched version becomes available. Verify the current version of the component and confirm it is version 1.1 or earlier. Check the JE Photo Gallery vendor advisory or official plugin repository for available security updates. If no patch is available, consider switching to an alternative, actively maintained photo gallery component or implementing Web Application Firewall (WAF) rules to block malicious SQL injection attempts in the categoryid parameter.
Patch guidance
Contact the JE Photo Gallery component developer to determine patch availability and timeline. Verify against the vendor advisory for the specific patched version number that addresses this SQL injection vulnerability. Organizations should establish a timeline for testing and deploying the patch in a staging environment before applying it to production systems. If the vendor no longer maintains this component, plan for migration to a supported alternative.
Detection guidance
Monitor web server and application logs for suspicious GET requests to index.php containing unusual SQL syntax in the categoryid parameter. Look for common SQL injection patterns such as single quotes, SQL comments (--), UNION keywords, and semicolons within the categoryid value. Implement WAF rules to detect and block requests matching SQL injection signatures targeting this parameter. Use database query logging to identify any unauthorized or anomalous queries executed through this component. Conduct a retrospective search of access logs to determine if exploitation has already occurred.
Why prioritize this
This vulnerability warrants immediate priority due to the combination of high CVSS score (8.2), unauthenticated attack vector, and direct access to sensitive database information. The SQL injection flaw allows attackers to completely bypass application security controls and extract credential data. The ease of exploitation and the public nature of the disclosure mean active exploitation is likely already underway or will commence shortly. Organizations must treat this as a critical remediation priority.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects a network-exploitable vulnerability requiring no authentication or user interaction, resulting in high confidentiality impact (access to database contents including credentials) and low integrity impact (potential for data modification). The attack complexity is low and the scope is unchanged, indicating a straightforward exploitation path with significant business risk. This score appropriately prioritizes this vulnerability as requiring urgent attention.
Frequently asked questions
Can this vulnerability be exploited if the website is behind a firewall or not directly internet-facing?
Yes. While the vulnerability requires network access to the web server, if the server is accessible to any untrusted network—including internal networks or VPNs—the vulnerability can be exploited. Even if the website is not intentionally internet-facing, misconfigured firewall rules or network architecture could expose it.
Does updating Joomla core fix this vulnerability?
No. This vulnerability is in the JE Photo Gallery component, not in the Joomla core platform. Updating Joomla will not remediate this issue. You must specifically update or remove the vulnerable component.
How can I quickly assess if my site has been compromised through this vulnerability?
Check database access logs for unusual queries executed around the published CVE date (June 1, 2026 and after). Look for new administrator accounts created without authorization, unusual changes to user permissions, or evidence of data exfiltration. Monitor for any unauthorized access to password hashes or user account tables. Consider engaging a security professional to conduct a thorough forensic analysis if compromise is suspected.
What is the difference between removing and disabling the component?
Disabling the component prevents it from executing but leaves the code on the server, which could still be exploited if the disable mechanism fails or is bypassed. Complete removal from the server is the safer interim measure until a patch is available and tested.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. Organizations should verify all remediation steps against official vendor advisories and conduct thorough testing in non-production environments before deploying patches. SEC.co does not warrant the accuracy or completeness of this analysis and recommends consulting with qualified security professionals for your specific environment. Actual patch availability and version numbers should be confirmed directly with the JE Photo Gallery vendor or official repository before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access