Joomla Security Alert: Critical SQL Injection & MFA Bypass Vulnerabilities Uncovered

The Joomla Project has issued two security announcements addressing two significant vulnerabilities affecting its CMS and database packages, including a critical SQL injection flaw (CVE-2025-25226) and a two-factor authentication bypass (CVE-2025-25227).

The more critical of the two, CVE-2025-25226, exposes a dangerous SQL injection vulnerability within the quoteNameStr method of Joomla’s Database package. According to the official announcement, “Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package.” This flaw, rated with a CVSS score of 9.8, signifies the potential for severe consequences if exploited.

Specifically, the vulnerable versions of the Database package are 1.0.0-2.1.1 and 3.0.0-3.3.1. However, Joomla clarifies: “The affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.”

This means that while standard Joomla installations might not be directly at risk, custom extensions or modified classes that utilize this vulnerable method could be highly susceptible. Administrators who have implemented custom database interactions must carefully scrutinize their code.

The second vulnerability, CVE-2025-25227, involves a MFA authentication bypass. This flaw, with a CVSS score of 7.5, stems from “Insufficient state checks lead to a vector that allows to bypass 2FA checks.” This could allow malicious actors to circumvent the added security layer of MFA, granting unauthorized access to sensitive accounts and data.

This vulnerability affects Joomla! CMS versions 1.0.0-2.1.1 and 3.0.0-3.3.1. The ability to bypass MFA can have serious consequences, allowing attackers to gain full control of affected Joomla installations.

Joomla has released patched versions to address these vulnerabilities. The recommended solutions are:

• For CVE-2025-25226 (SQL Injection): Upgrade the Database package to version 2.2.0 or 3.4.0.
• For CVE-2025-25227 (MFA Bypass): Upgrade Joomla! CMS to version 4.4.13 or 5.2.6.

Website administrators are strongly advised to apply these updates immediately to mitigate the risks. Delaying these updates can expose their sites to potential attacks, leading to data breaches, unauthorized access, and other damaging outcomes.

Related Posts:

• Safeguard Your Joomla Site: Patch CVE-2023-40626 Vulnerability
• CVE-2024-21726: Patch Now to Stop Joomla Remote Code Execution
• Phishing Campaign Bypasses MFA to Target Meta Business Accounts, Putting Millions at Risk
• FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts