On May 17, 2017, researchers detected an SQL injection vulnerability in the Joomla! 3.7.0 Core version of the open-source CMS software WordPress, which is highly risky and may cause data leakage.
See the following for more information about the vulnerability.
Joomla! 3.7.0 Core SQL injection vulnerability
Joomla! 3.7.0 has a new component, com_fields. Any user can directly access the component without logon, which results in SQL injection due to loose filtering of requested data. SQL injection leads to sensitive information leakage in the database, such as the user’s password hash and the logon user’s session. An attacker who obtains the logon administrator’s session can take control of the backend system of the entire website.
Condition and method of exploitation
Joomla! 3.7.0 Core
How to fix or mitigate
We recommend that you install the latest official patch immediately, which is available at https://downloads.joomla.org/cms/joomla3/3-7-1.