CVE-2026-48943: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment in getk2.com K2 extension for Joomla
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
AI Analysis
Technical Summary
The K2 extension for Joomla (versions 1.0 to 2.26) suffers from a CWE-915 mass-assignment vulnerability in the 'plg_user_k2' system user plugin. This flaw allows authenticated Joomla users to manipulate certain database fields ('notes', 'image', 'plugins') in their own K2 user record by submitting a specially crafted POST request with the 'K2UserForm=1' parameter. The vulnerability arises because these fields are not properly protected against modification via the standard profile.save operation, enabling unauthorized attribute changes that are not normally permitted through the frontend interface.
Potential Impact
An authenticated Joomla user can modify sensitive fields in their own K2 user database record that are not exposed through the normal user interface. This could lead to unauthorized changes in user profile data stored in the 'notes', 'image', and 'plugins' columns, potentially affecting application behavior or user data integrity. There is no indication of remote code execution or privilege escalation beyond the user's own account.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the profile.save functionality or monitor for unusual POST requests containing the 'K2UserForm=1' parameter. Avoid granting unnecessary permissions to registered users and consider disabling the vulnerable plugin if feasible.
CVE-2026-48943: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment in getk2.com K2 extension for Joomla
Description
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The K2 extension for Joomla (versions 1.0 to 2.26) suffers from a CWE-915 mass-assignment vulnerability in the 'plg_user_k2' system user plugin. This flaw allows authenticated Joomla users to manipulate certain database fields ('notes', 'image', 'plugins') in their own K2 user record by submitting a specially crafted POST request with the 'K2UserForm=1' parameter. The vulnerability arises because these fields are not properly protected against modification via the standard profile.save operation, enabling unauthorized attribute changes that are not normally permitted through the frontend interface.
Potential Impact
An authenticated Joomla user can modify sensitive fields in their own K2 user database record that are not exposed through the normal user interface. This could lead to unauthorized changes in user profile data stored in the 'notes', 'image', and 'plugins' columns, potentially affecting application behavior or user data integrity. There is no indication of remote code execution or privilege escalation beyond the user's own account.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the profile.save functionality or monitor for unusual POST requests containing the 'K2UserForm=1' parameter. Avoid granting unnecessary permissions to registered users and consider disabling the vulnerable plugin if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Joomla
- Date Reserved
- 2026-05-26T16:47:13.550Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d4d4b4853345fc124a300
Added to database: 06/25/2026, 15:46:19 UTC
Last enriched: 06/25/2026, 16:02:06 UTC
Last updated: 06/25/2026, 20:13:52 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.