CVE-2018-25433: Joomla JE Photo Gallery 1.1 SQL Injection via categoryid
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted categoryid values in the com_jephotogallery component to execute arbitrary SQL queries and retrieve sensitive data like usernames and password hashes.
Security readout for executives and security teams
Plain-English summary
CVE-2018-25433 is a high-risk database injection issue in Joomlaextensions JE Photo Gallery 1.1. An unauthenticated remote attacker may be able to read sensitive database information through a public gallery parameter. The sources do not identify a vendor patch or confirm active exploitation in the wild.
Executive priority
Prioritize externally exposed Joomla sites first. The business risk is unauthorized database disclosure, potentially including usernames and password hashes. Because no patch is named in the sources, containment and vendor guidance checks should happen promptly.
Technical view
The issue is CWE-89 SQL injection in the categoryid parameter of Joomla com_jephotogallery, affecting JE Photo Gallery 1.1. The supplied CVSS v4 score is 8.8 with network access, low complexity, no privileges, and no user interaction. Public exploit material exists, but KEV status is false.
Likely exposure
Exposure is most likely on public Joomla sites that have JE Photo Gallery 1.1 installed and reachable. Risk depends on whether the component is enabled and whether the vulnerable route is externally accessible. Organizations without Joomla or this extension are not affected based on the supplied sources.
Exploitation context
ExploitDB and VulnCheck references indicate public exploit documentation exists for this vulnerability. The source bundle does not show CISA KEV listing or other evidence of active exploitation. Treat internet-facing instances as urgent because no authentication or user interaction is required.
Researcher notes
Evidence is strong for the affected component, version, vulnerable parameter, and public exploit availability. Evidence is incomplete for patch status, active exploitation, and affected deployment prevalence. Avoid assuming other JE Photo Gallery versions are affected unless vendor or advisory sources confirm it.
Mitigation direction
Inventory Joomla sites for JE Photo Gallery and confirm installed versions.
Disable or remove JE Photo Gallery 1.1 where business impact allows.
Check vendor and advisory sources for supported fixed versions or replacement guidance.
Restrict public access to affected Joomla paths if removal is delayed.
Review database and Joomla credentials if suspicious access is found.
Validation and detection
Confirm whether com_jephotogallery is installed and enabled on each Joomla site.
Verify whether the vulnerable gallery route is reachable from the internet.
Review web logs for unusual requests involving com_jephotogallery and categoryid.
Check database access logs for unexpected reads from the Joomla application account.
Document unaffected assets where the component is absent.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-89 · source CWE mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.