virtuemart CVE Vulnerabilities & Metrics

Focus on virtuemart vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About virtuemart Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with virtuemart. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total virtuemart CVEs: 4
Earliest CVE date: 19 Jan 2007, 23:28 UTC
Latest CVE date: 21 Apr 2025, 08:15 UTC

Latest CVE reference: CVE-2025-25228

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical virtuemart CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.16

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	4
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS virtuemart CVEs

These are the five CVEs with the highest CVSS scores for virtuemart, sorted by severity first and recency.

CVE-2009-4430 virtuemart Published on 28 Dec 2009, 19:00 UTC (CVSS: 7.5)
SQL injection vulnerability in index.php in VirtueMart 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter in a shop.product_details shop.flypage action.
CVE-2006-6945 virtuemart Published on 19 Jan 2007, 23:28 UTC (CVSS: 7.5)
SQL injection vulnerability in Virtuemart 1.0.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, probably related to (1) Itemid, (2) product_id, and category_id parameters as handled in virtuemart_parser.php.
CVE-2008-7204 virtuemart Published on 11 Sep 2009, 16:30 UTC (CVSS: 6.8)
Cross-site request forgery (CSRF) vulnerability in VirtueMart 1.0.13a and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2007-0376 virtuemart Published on 19 Jan 2007, 23:28 UTC (CVSS: 6.8)
Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-10379 virtuemart Published on 29 May 2017, 19:29 UTC (CVSS: 6.5)
The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL injection by remote authenticated administrators via the virtuemart_paymentmethod_id or virtuemart_shipmentmethod_id parameter to administrator/index.php.

All CVEs for virtuemart

CVE-2025-25228 virtuemart vulnerability CVSS: 0 21 Apr 2025, 08:15 UTC

A SQL injection in VirtueMart component 1.0.0 - 4.4.7 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the product management area in backend.

CVE-2018-7465 virtuemart vulnerability CVSS: 3.5 26 Apr 2018, 19:29 UTC

An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.

CVE-2015-3619 virtuemart vulnerability CVSS: 3.5 06 Feb 2018, 16:29 UTC

Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in the VirtueMart component before 3.0.8 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors involving a "double encode combination of first_name, last_name and company."

CVE-2016-10379 virtuemart vulnerability CVSS: 6.5 29 May 2017, 19:29 UTC

The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL injection by remote authenticated administrators via the virtuemart_paymentmethod_id or virtuemart_shipmentmethod_id parameter to administrator/index.php.

CVE-2009-4430 virtuemart vulnerability CVSS: 7.5 28 Dec 2009, 19:00 UTC

SQL injection vulnerability in index.php in VirtueMart 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter in a shop.product_details shop.flypage action.

CVE-2008-7205 virtuemart vulnerability CVSS: 4.3 11 Sep 2009, 16:30 UTC

Unspecified vulnerability in the product view functionality in VirtueMart 1.0.13a and earlier allows remote attackers to read arbitrary files via vectors related to a template file.

CVE-2008-7204 virtuemart vulnerability CVSS: 6.8 11 Sep 2009, 16:30 UTC

Cross-site request forgery (CSRF) vulnerability in VirtueMart 1.0.13a and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

CVE-2006-6945 virtuemart vulnerability CVSS: 7.5 19 Jan 2007, 23:28 UTC

SQL injection vulnerability in Virtuemart 1.0.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, probably related to (1) Itemid, (2) product_id, and category_id parameters as handled in virtuemart_parser.php.

CVE-2007-0376 virtuemart vulnerability CVSS: 6.8 19 Jan 2007, 23:28 UTC

Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.