CVE-2025-22210
Published: 25 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-22210 is a SQL injection vulnerability (CWE-89) affecting the Hikashop component for Joomla in versions 3.3.0 through 5.1.4. Published on 2025-02-25, it resides in the category management area of the backend, where insufficient input validation allows arbitrary SQL command execution. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Authenticated attackers with administrator privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL commands, potentially allowing full database compromise, data extraction, modification, or deletion within the Joomla site's backend environment.
Advisories and further details are available in the provided references, including a GitHub repository at https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22210 and the official Hikashop site at https://www.hikashop.com/. Security practitioners should consult these sources for patch information and mitigation guidance specific to affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in Joomla backend enables exploitation of public-facing web app (T1190), arbitrary SQL queries for database data collection (T1213.006), and data manipulation/deletion (T1565.001).