Platform
joomla
Component
joomla
Fixed in
2.13.4
CVE-2023-54363 describes a reflected cross-site scripting (XSS) vulnerability found in Joomla Solidres version 2.13.3. This vulnerability allows unauthenticated attackers to inject malicious scripts into the website by manipulating various GET parameters. Successful exploitation could lead to session hijacking, credential theft, or unauthorized modification of website content. The vulnerability was published on 2026-04-09, and a fix is expected in a future release.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser. By crafting malicious URLs containing JavaScript payloads in parameters like 'show', 'reviews', 'type_id', and others, an attacker can trick users into visiting these links. Upon visiting, the injected script will execute, potentially stealing session cookies, login credentials, or redirecting the user to a phishing site. The blast radius extends to all users of Joomla Solidres 2.13.3 who are exposed to crafted URLs, making it a widespread concern for websites utilizing this extension. This vulnerability shares similarities with other XSS attacks, where user input is not properly sanitized before being rendered on a webpage.
CVE-2023-54363 is currently not listed on the CISA KEV catalog. The EPSS score is likely low to medium, given the requirement for user interaction (clicking a malicious link) and the lack of widespread public exploitation reports. Public proof-of-concept (PoC) code is not yet publicly available, but the vulnerability's nature makes it relatively easy to exploit, increasing the likelihood of future exploitation attempts. The vulnerability was disclosed on 2026-04-09.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-54363 is to upgrade Joomla Solidres to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Input validation and output encoding are crucial; ensure all user-supplied data passed through GET parameters is properly sanitized and encoded before being displayed on the page. Web Application Firewalls (WAFs) can be configured to detect and block malicious requests containing suspicious JavaScript payloads. Monitor access logs for unusual activity or requests containing potentially malicious GET parameters. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through a manipulated GET parameter and confirming that it is not executed.
Update the Joomla Solidres plugin to a version later than 2.13.3 to mitigate the reflected XSS vulnerability. Check the official Solidres documentation or the Joomla extensions site for specific upgrade instructions. Additionally, properly validate and escape all user inputs to prevent future XSS vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-54363 is a reflected cross-site scripting vulnerability in Joomla Solidres 2.13.3, allowing attackers to inject malicious scripts via manipulated GET parameters.
You are affected if you are using Joomla Solidres version 2.13.3 and your website is accessible to external users.
Upgrade Joomla Solidres to a patched version as soon as it becomes available. Implement input validation and output encoding as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could be targeted in the future.
Refer to the official Joomla security advisories and the Solidres website for updates and information regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.