CVE-2018-25330: Joomla! EkRishta XSS Vulnerability

CVE-2018-25330 Overview

CVE-2018-25330 affects the Joomla! extension EkRishta version 2.10, a dating and relationships component distributed through the Joomla Extensions Directory. The extension contains two distinct flaws: persistent cross-site scripting (XSS) through profile fields and SQL injection [CWE-89] through the phone_no POST parameter handled by the user_setting endpoint. Attackers can inject script payloads into fields such as Address, causing arbitrary JavaScript to execute when other users view the profile. They can also manipulate database queries by submitting crafted input to the user settings endpoint, exposing stored data.

Critical Impact

Unauthenticated attackers can extract database contents via SQL injection and hijack authenticated sessions through stored XSS payloads triggered on profile views.

Affected Products

• Joomla! extension EkRishta 2.10
• Distributed via the Joomla Extension EK Rishta directory listing
• Source vendor page: Joomla Extensions Resource

Discovery Timeline

• 2026-05-17 - CVE-2018-25330 published to NVD
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2018-25330

Vulnerability Analysis

The EkRishta 2.10 extension exposes two separate input-handling weaknesses. The first is a stored XSS flaw in profile editing routines. User-supplied content in profile fields such as Address is written to the database and rendered back to viewers without sufficient HTML encoding or sanitization. Any visitor loading the malicious profile executes attacker-controlled JavaScript in the context of the Joomla site.

The second is a SQL injection flaw in the user_setting request handler. The phone_no POST parameter is concatenated into a SQL statement without parameterization or strict input validation. An attacker can append UNION-based or boolean clauses to alter the executed query, enumerate tables, and exfiltrate data including credentials and session material.

Combined, these flaws enable account takeover. Stored XSS can steal session cookies or trigger administrative actions, while SQL injection allows direct database access. The extension is reachable over the network and requires no authentication for exploitation in the documented attack paths described in the VulnCheck Advisory on Joomla EK Rishta.

Root Cause

The root cause is missing output encoding for profile data and missing parameterization in the SQL layer that processes user_setting updates. The extension trusts client-supplied strings and inserts them into HTML output and SQL statements without contextual escaping.

Attack Vector

Exploitation occurs over HTTP. For XSS, an attacker registers or edits a profile and stores a payload in the Address field. The payload fires when any user, including administrators, views the profile. For SQL injection, the attacker submits a crafted phone_no value to the user_setting endpoint. Public exploitation details are available in Exploit-DB #44660.

No verified proof-of-concept code is reproduced here. See the linked Exploit-DB entry for the original technical demonstration.

Detection Methods for CVE-2018-25330

Indicators of Compromise

• POST requests to the user_setting endpoint containing SQL metacharacters such as ', UNION SELECT, --, or OR 1=1 in the phone_no parameter.
• Profile records where address or other free-text fields contain <script>, onerror=, javascript:, or HTML event handler strings.
• Unexpected outbound requests from administrator browsers shortly after viewing user profiles, suggesting XSS-driven session theft.
• Web server access logs showing repeated requests from a single source iterating through profile IDs or settings parameters.

Detection Strategies

• Inspect Joomla database tables used by EkRishta for stored payloads containing script tags or HTML event handlers in user-controlled fields.
• Deploy web application firewall (WAF) signatures for common SQL injection patterns targeting the phone_no parameter and user_setting route.
• Correlate HTTP 500 responses and database error messages with requests to EkRishta endpoints to identify probing activity.

Monitoring Recommendations

• Forward Joomla access logs and MySQL/MariaDB query logs to a centralized log platform for query-pattern analysis.
• Alert on administrator session anomalies such as new IPs or user-agent changes following profile-view events.
• Track changes to the Joomla #__users and EkRishta extension tables, especially in fields rendered without encoding.

How to Mitigate CVE-2018-25330

Immediate Actions Required

• Disable or uninstall the EkRishta 2.10 extension until a patched release from the vendor is confirmed.
• Audit user profile data and purge stored HTML or script content from free-text fields such as Address.
• Rotate Joomla administrator and database credentials if logs show evidence of SQL injection attempts.
• Restrict access to the EkRishta endpoints behind authentication or IP allowlisting while remediation is in progress.

Patch Information

No vendor patch is referenced in the available advisories. Confirm the current status of the extension through the Joomla Extension EK Rishta directory listing and the VulnCheck Advisory on Joomla EK Rishta before re-enabling the component.

Workarounds

• Apply WAF rules that block SQL metacharacters and UNION SELECT patterns in POST bodies targeting the user_setting route.
• Enforce a strict Content Security Policy (CSP) on the Joomla site to limit execution of inline scripts injected through stored XSS.
• Add server-side input validation that rejects HTML tags and non-numeric characters in fields such as phone_no and Address.
• Remove the EkRishta extension entirely if it is not business-critical, eliminating the affected attack surface.

# Example WAF rule snippet (ModSecurity) to block SQLi against user_setting
SecRule REQUEST_URI "@contains user_setting" \
  "phase:2,id:1002530,deny,status:403,log,\
   msg:'CVE-2018-25330 EkRishta SQLi attempt',\
   chain"
  SecRule ARGS:phone_no "@rx (?i)(union(\s)+select|--|';|or\s+1=1)" "t:none"