Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network injection (PR:N) but stored payload requires a victim to view the AI page (UI:R); XSS crosses into the victim's browser (S:C) yielding low confidentiality/integrity impact, no availability effect.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Joomla extension 4Analytics is vulnerable to an unauthenticated stored XSS in relation to the AI analysis feature.
AnalysisAI
Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Joomla site has the 4Analytics extension installed and actively uses its AI analysis feature, since that specific view is where the stored payload is rendered and executed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H - network-reachable, low complexity, no privileges, but requiring active user interaction, with high impact to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated visitor sends crafted requests to a 4Analytics-monitored Joomla site, embedding a JavaScript payload in an analytics-captured field (such as a referrer or event parameter) that is stored by the extension. Later, a site administrator opens the AI analysis feature to review insights, at which point the stored script executes in the admin's authenticated browser session - potentially hijacking the session, exfiltrating cookies/tokens, or performing actions as the administrator. … |
| Remediation | No vendor-released patch identified at time of analysis - the only reference is the product page (https://weeblr.com/joomla-seo/4analytics-private-analytics-for-joomla), not a dedicated advisory or tagged release, so no exact fix version can be cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your Joomla installation to identify if 4Analytics is installed and active; if present, immediately disable the extension or restrict access to the analytics interface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44601
GHSA-8q44-8chq-65hc