PatchSiren cyber security CVE debrief
CVE-2018-25380 Extro CVE debrief
CVE-2018-25380 documents an authenticated SQL injection vulnerability in eXtroForms 2.1.5, a Joomla! component. The vulnerability resides in the extroformfield view, where the filter_type_id, filter_pid_id, and filter_search parameters fail to properly sanitize user input before incorporating it into SQL queries. An attacker with valid credentials can submit crafted POST requests containing malicious SQL payloads to these parameters, enabling arbitrary SQL command execution against the backend database. This allows extraction of sensitive database contents and server information. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and low privileges required, with high confidentiality impact. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVE was published on 2026-05-25 and modified on 2026-05-26. The NVD status is currently 'Deferred'.
- Vendor
- Extro
- Product
- eXtroForms
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running Joomla! installations with eXtroForms component version 2.1.5 or earlier; security teams managing content management system security; web application developers maintaining custom Joomla! extensions; database administrators responsible for securing backend data stores
Technical summary
The eXtroForms component for Joomla! version 2.1.5 contains an authenticated SQL injection vulnerability in the extroformfield view. Three parameters—filter_type_id, filter_pid_id, and filter_search—accept user input without adequate sanitization, allowing SQL command injection through POST requests. Successful exploitation requires valid authentication credentials but enables arbitrary SQL execution with the privileges of the Joomla! database user, potentially exposing sensitive data.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-supplied patches for eXtroForms if available; contact extro.media for patch status if no update is listed
- Implement parameterized queries or prepared statements for all database interactions in custom Joomla! components
- Apply principle of least privilege to database accounts used by Joomla! components
- Enable and review Joomla! audit logs for suspicious POST requests to extroformfield view containing SQL keywords or unusual filter parameter values
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in filter_type_id, filter_pid_id, and filter_search parameters
- Conduct code review of eXtroForms or similar custom form components for additional injection vectors
- If patching is not immediately feasible, restrict access to the extroformfield administrative interface to trusted IP ranges
Evidence notes
The vulnerability description is sourced from NVD metadata and VulnCheck advisory. The affected version (2.1.5) and vulnerable parameters (filter_type_id, filter_pid_id, filter_search) are explicitly identified in the source data. The CVSS 4.0 vector and CWE-89 classification are provided in NVD records.
Official resources
The vulnerability was disclosed via VulnCheck and is documented in Exploit-DB. The eXtroForms component is distributed through the Joomla! Extensions Directory.