Platform
joomla
Component
joomla
Fixed in
4.7.5
CVE-2023-54364 describes a reflected cross-site scripting (XSS) vulnerability discovered in Joomla HikaShop versions prior to 4.7.4. This flaw allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. By crafting malicious URLs containing XSS payloads within the fromoption, fromctrl, fromtask, or fromitemid GET parameters of the product filter endpoint, attackers can potentially steal sensitive information like session tokens or login credentials. The vulnerability was published on 2026-04-09.
The primary impact of CVE-2023-54364 is the potential for attackers to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the website. An attacker could craft a seemingly innocuous link containing the XSS payload and distribute it through phishing emails or social media. When a victim clicks the link, the malicious script executes, potentially granting the attacker access to the victim's account or sensitive data. The blast radius extends to any user who interacts with the vulnerable product filter endpoint, making it a significant risk for e-commerce sites relying on HikaShop.
CVE-2023-54364 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, suggesting limited active exploitation at this time. The vulnerability's relatively low CVSS score (6.1) indicates a medium probability of exploitation, but the lack of public PoCs reduces the immediate risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-54364 is to upgrade Joomla HikaShop to version 4.7.4 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the product filter endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Carefully review and restrict access to the product filter endpoint to authorized users only. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the filter parameters and verifying that it is properly sanitized.
Update to the latest available version of Joomla HikaShop, as this vulnerability is fixed in versions later than 4.7.4. Check the official HikaShop website for detailed instructions on how to update your installation. Additionally, review and sanitize any malicious URLs that have been shared or used on your website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-54364 is a reflected cross-site scripting (XSS) vulnerability in Joomla HikaShop versions before 4.7.4, allowing attackers to inject malicious scripts via manipulated GET parameters.
You are affected if you are using Joomla HikaShop versions prior to 4.7.4. Upgrade to the latest version to mitigate the risk.
Upgrade Joomla HikaShop to version 4.7.4 or later. Consider implementing input validation and output encoding as a temporary workaround.
There are currently no widespread reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the official Joomla security advisory for detailed information and updates: [https://security.joomla.org/](https://security.joomla.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.