Joomla extension JoomShaper SP LMS contains an object injection vulnerability leading to remote code execution for the attacker. This vulnerability is identified as CVE-2026-48909 and affects version 4.1.3 and below of SP LMS.
This is due to the existence of the vulnerability in the com_splms component. Here, the threat actor sends a lmsOrders cookie, which will cause an unserialize function in the cart model and, thus, lead to a gadget chain that writes a webshell to disk.
Attack Mechanism
The Joomla SP LMS PHP object injection vulnerability starts with an lmsOrders cookie. The application will use this cookie by using the unserialize(base64_decode($cookie)) function on it. This is another case of an insecure deserialization vulnerability.
The malicious user creates an object, which causes the execution of the __destruct() function from the FormattedtextLogger class. This Joomla core gadget chain then calls File::write($path, $format).
The $format parameter is attacker-controlled. The attacker can write a webshell to a writable directory on the server.
The Joomla Input Filter Bypass
The Joomla SP LMS PHP object injection vulnerability includes a notable bypass. By default, the Joomla function $cookie->get() uses the 'cmd' filter. The ‘cmd’ filter excludes certain characters including ‘/’, ‘=’, and ‘+’.
Bypass technique consists of:
- Padding is added to ensure that the payload length is a multiple of 3 such that there are no “=” characters in the Base64 encoded output.
- The payload is repeated to get a base64 encoded string that doesn’t have any ‘/’ character in it.
- The format string employs hex2bin() to exclude certain characters including ‘$’, ‘_’, ‘{‘, ‘}’, and ‘\n’.
Gadget Chain
Joomla SP LMS PHP object injection exploit makes use of the FormattedtextLogger class as a gadget.
The gadget chain may be described as follows:
- The attacker passes the base64-encoded serialized object via the lmsOrders cookie.
- The com_splms component of Joomla unserializes the cookie value.
- The deserialized object is of the type FormattedtextLogger.
- During destructing, the __destruct() method calls the File::write() method.
- The file path and its contents are controlled by the attacker.
- A webshell is created on the server side.
Joomla Version Note
The Joomla SP LMS PHP object injection vulnerability has a version-specific caveat. Remote code execution requires Joomla versions below 5.2.2. Joomla 5.2.2 patched the FormattedtextLogger.__wakeup() method which stops the gadget chain.
PHP object injection vulnerability is present in com_splms on Joomla 5.2.2 and later. However, there is no publicly available gadget chain that results in RCE on the patched version of Joomla.
Exploit
The exploit script delivers the malicious lmsOrders cookie to the vulnerable endpoint.
/index.php?option=com_splms&view=cartThe exploit script carries out the following tasks:
- Generates a base64-encoded payload to evade the cmd filter of Joomla.
- Transmits the payload through the lmsOrders cookie.
- Initiates the FormattedtextLogger.__destruct() gadget.
- Creates the webshell on the given path.
- Checks the existence of the webshell by sending the request “?c=id.”
The exploit needs to have an absolute writable path on the remote host, e.g:
- /var/www/html/tmp/x.php
- /home/USER/public_html/tmp/x.php
- /var/www/vhosts/site.com/httpdocs/tmp/x.php
Fixing the Issue
A fix for the Joomla SP LMS PHP object injection vulnerability has been provided through the release of SP LMS version 4.1.4.
For those using Joomla version 5.2.2 and above, the gadget chain is not possible due to certain changes. The unserialize vulnerability, however, still exists.
The Bottom Line
The Joomla SP LMS PHP object injection vulnerability is a serious security flaw. A cookie leads to an unserialize call. The unserialize triggers a gadget chain.
The gadget chain writes a webshell to disk. The webshell gives the attacker remote code execution.
The exploit bypasses Joomla's input filters. The patch is available. Update now.
FAQ Section
What is CVE-2026-48909?
CVE-2026-48909 refers to a PHP object injection vulnerability in the JoomShaper SP LMS plugin for Joomla. The vulnerability lets the attacker carry out remote code execution through a manipulated lmsOrders cookie.
What versions are affected?
Affected versions are SP LMS 4.1.3 and earlier versions. This vulnerability was patched in SP LMS 4.1.4.
How does the attack happen?
The attacker passes a serialized object encoded in base64 through the lmsOrders cookie, which causes a gadget chain to be called and the creation of a webshell on the disk.
Does this affect all Joomla versions?
Remote code execution requires Joomla below 5.2.2. Joomla 5.2.2 patched the FormattedtextLogger gadget chain. The unserialize vulnerability still exists but no known gadget chain leads to RCE on patched versions.
What could I do to solve it?
Update SP LMS to version 4.1.4 or later. Update of Joomla to version 5.2.2 is also advised, if possible.
What else can I do in case of not being able to update?
Limit the access to the com_splms plugin. Watch for anything suspicious regarding cookies. Web application firewall can be used.