Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection in the mod_vvisit_counter module

Posted date 03/10/2025
Identificador
INCIBE-2025-0540
Importance
5 - Critical
Affected Resources

mod_vvisit_counter, version 2.0.4j3.

Description

INCIBE has coordinated the publication of a critical vulnerability affecting mod_vvisit_counter, a Joomla module for counting visits. The vulnerability was discovered by Andrea Serrano Urea.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-40636: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89.
Solution

The product has reached the end of its useful life (EoL), so there is no solution.

Detail

CVE-2025-40636: SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.

CVE
Explotación
No
Nuevo Fabricante
mod_vvisit_counter
Identificador CVE
CVE-2025-40636
Severidad
Crítica
References list
Joomla Visitors Counter - mod_vvisit_counter Vorwort
Etiquetas