The J2Store plugin prior to 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager.
j2store j2store