CVE-2018-25330

Joomla! EkRishta 2.10 Persistent XSS and SQL Injection

CVSS 8.8 HIGHEPSS 0.3%CWE-89

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.8EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

17 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Joomlaextensions · Joomla! extension EkRishta

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/44660unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/https://www.exploit-db.com/exploits/44660 https://www.joomlaextensions.co.in/https://www.vulncheck.com/advisories/joomla-ekrishta-persistent-xss-and-sql-injection