Vulnerable Extensions List

From Joomla! Documentation

Revision as of 17:39, 8 April 2020 by Wilsonge (talk | contribs) (Remove under investigation page link now deleted)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page has been archived. This page contains information for an unsupported Joomla! version or is no longer relevant. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.

Info non-talk.png
General Information

This document has now been replaced by the website at from 1st May 2013 Please refer to there for the latest updates

List prior to January 2011 (now archived) Please check here also.

Check and Report.[edit]

Please check with the extension publisher in case of any questions over the security of their product.

Info non-talk.png
General Information

All reports are now to be made via

Report Vulnerable extensions in the vel website

How to use this list[edit]

Items will be removed after a suitable period and not on resolution.

Info non-talk.png
General Information

This document has now been replaced by the website at from 1st May 2013 Please refer to there for the latest updates

All known vulnerable extensions are the listed in the first column "Extension". Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a "Contact the Developer About This Extension". Alert Advisory details are in the center column. If the "Extension Update Link & Date Column has Not Known then it is where no update is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL[edit]

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5-complete the resolution form on the website at from 1st May 2013

6- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page

VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

January 2012 and onwards Reported Vulnerable Extensions[edit]

<startFeed />

Extension Details Date Added Extension Update Link & Date

civic crm 422[edit]

upload exploit /RFI 260413 developer release 4.3.1


xss 230413 developer release statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3

aiContactSafe 2.0.19[edit]

xss 160413 developer release statement for version 2.0.21


SQL 180313 developer release statement for version 12

Multiple Customfields Filter for Virtuemart[edit]

SQLi 18212 developers 1.6.8 update statement


Various [] 230113 developer update statement to 0.5.1

tz guestbook[edit]

Various 100113 developer release statement for 1.1.2


2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass 251212 developer update to 2.1.3 statement


SQLi 101212 developer release new version 1.13.1 - upgrade notice

Multiple Customfields Filter for Virtuemart[edit]

SQLi 18212 developers update statement

ag google analytic[edit]

Various 061212

sh404sef <3.7.0[edit]

Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 26112 developer statement

Login Failed Log[edit]

23112 ID - information disclosure developer release statement to ver 1.5.4


131112 developer update statement to version 7.9.1 151112

Joombah Jobs[edit]

Upload restriction issues 131112 developer update statement


RFI 231012 developer update statement to version 3.2 271012


SQLi + ID 221012 Developer states current version not exploitable by reported methods


SQLi Developer statement for 1.2.9

JTag [joomlatag][edit]


Freestyle Support[edit]

SQLi developer update statement 251012


DT 011012 AceFTP 2.0.0 released. Developer statement 101012


DT 011012 *reported fixed prior to notification*

spider calendar lite[edit]

RFI 180912 developer release version 1.5 version


SQLi Rereported 180912 Developer states: no known exploits for our current versions of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4


SQLi developer security release - v1.2.1 080912

En Masse cart[edit]

RFI 060812 Developer upgrade statement to 3.1.3

JCE (joomla content editor)[edit]

Upload Restriction <2.2.4 050812 Developer states current version not exploitable


SQLi XSS 31 07 12 Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released


Unrestricted uploads 160712 Developer release version 2.0.3 180712


RFI 160712 The security update version 1.5.72 advise can be found here:

German English

Shipping by State for Virtuemart[edit]

elevated permissions ( 160612 Upgrade to v2.5 download commercial product 300612

ownbiblio 1.5.3[edit]

SQLi + 250512

Ninjaxplorer <=1.0.6[edit]

developer notification 250412 developer statement upgrade to 1.0.7

Phoca Fav Icon[edit]

Permissions Rewrite 150412 developer update 2.0.3 statement

estateagent improved[edit]

sqli ( 110412 developer states previous version, not current version


110412 sql (no longer maintained)

JLive! Chat v4.3.1[edit]

DT 060412 Developer reports as unproven

virtuemart 2.0.2[edit]

SQLi 050412 developers release statementCurrent version 2.0.6 released

JE testimonial[edit]

SQLi 230312 Developer states malicious report.


excessive file permission 090212 version 1.3.1 released

Quickl Form[edit]

xss 260112


sqli - unknown developer 240112

Joomla Discussions Component[edit]

sqli 180112 Discussions 1.4.1 released developer statement

HD Video Share (contushdvideoshare)[edit]

sqli 180112 updated version 2.2

Simple File Upload 1.3[edit]

RFI 010112 Developer update statement to 1.3.5


<endFeed />

January 2011 - Jan 2012 Reported Vulnerable Extensions[edit]

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes

<startFeed />

Extension Details Date Added Extension Update Link & Date

Simple File Upload 1.3[edit]

RFI 010112 Developer update statement to 1.3.5


sqli (possibly 201111

QContacts 1.0.6[edit]

sqli 131211

Jobprofile 1.0[edit]

SQL Injection Vulnerability 051211

JX Finder 2.0.1[edit]

XSS Vulnerabilities 011211


Unknown Exploit 301111

JB Captify Content J1.5 and J1.7[edit]

Security checks missing -Versions prior to 141111 All extensions available on the site have been updated and this potential security issue has been resolved.

JB Microblog[edit]

Security checks missing - J1.7 only. Versions prior to 1.10.3 14111 All extensions available on the [ site have been updated] and this potential security issue has been resolved.

JB Slideshow <3.5.1,[edit]

Security checks missing 141111 All extensions available on the [ site have been updated] and this potential security issue has been resolved.

JB Bamboobox[edit]

Security checks missing - J1.5 all versions prior to 1.2.2 141111 All extensions available on the [ site have been updated] and this potential security issue has been resolved.


SQLI - exploits RokStock RokWeather RokNewspager 121111 developer release statement RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5

hm community[edit]

Multiple Vulnerabilities 011111 developer release 1.01


SQLi 01111 developer statement and Latest version number v1.0.1.

Techfolio 1.0[edit]

Techfolio 1.0 SQLI 291011

Barter Sites 1.3[edit]

Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities 291011 developer release 1.3.1

Jeema SMS 3.2[edit]

Jeema SMS 3.2 Multiple Vulnerabilities 291011 developer resolution notice for 3.5.2

Vik Real Estate 1.0[edit]

Vik Real Estate 1.0 Multiple Blind SqlI 291011

yj contact[edit]

LFI (youjoomla contact) 241011 developer update statement 261011

NoNumber Framework[edit]

Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview 181011 see for updates of various extensions

Time Returns[edit]

SQLi 151011 No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported)

Simple File Upload[edit]

LFI 300811 developer advice page


LFI 300811 Developer states proper use of joomla administration/extension documentation reading

Joomla content editor[edit]

JCE lfi/rfi vulnerability JCE 2.0.11 and JCE have been released

Google Website Optimizer[edit]

Numerous vulnerabilities. Website Optimizer, Pearl Group 290811 developer update statement to ver. 1.4.0

Almond Classifieds[edit]

777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) 260811 developer resolution notice


LFI/RFI 180811 developers resolution notice 1.0.3

RAXO All-mode PRO[edit]

Timthumb RFI 110811 developer upgrade 1.5.0 statement


DT - open folders 110811 developer resolution statement


LFI 310711 developer release statement

Simple Page[edit]

LFI 230711 developer update statement v1.5.17 has been released

JE Story[edit]

LFI 230711 devloper security update notice to ver 1.9

appointment booking pro[edit]

LFI 22071 developer update security announcement Current 2.0.1 and 1.4.x versions, are not vulnerable,


xss (admin permission required) 220711 updated to 5.20


ID - 220711 developer security release 1.5 x.25 and 1.6 x.26.

alpharegistration[edit] Please contact the developer for any questions on this extension 170711 220711


DT - 170711 developer states The new version number v1.5r1362 resolves the problem

Flash Magazine Deluxe Joomla[edit]

ID multiple vulnerabilities 170711 developer release 2.1.4


SQLi - version 1.2.6 150711 1.2.7 released developer release statement 160711


SQLI - 130711 developer fix and update statement


sqli 120711 Developers Update statement 2.1


sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery[edit]

Creates 777 folders Atomic gallery 110711 developer release statement/changelog


ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version


SQL I (not listed in JED) 020711

Calc Builder[edit]

sqli + ID 180611 dev security release 0.0.2

Cool Debate[edit]

Cool Debate 1.03 LFI version 1.0.8 released.


Scriptegrator Plugin 1.5.5[edit]

LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery[edit]

SQLi developer update to 0.9.1

JMS fileseller[edit]

LFI 0611 developer upgrade announcement to v1.1


low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit[edit]

LFI/RFI developer states Version 1.8


File Upload Vulnerability 230511


ID 190511

Ask A Question AddOn v1.1[edit]

SQLi 160511

Global Flash Gallery[edit] xss 130511 dev release 0.5.0 statement


LFI com_google 080511 devs update to 1.5.1


com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber[edit]

XSS 120511 Deveopler update


akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect[edit]

SID. call home device with user credentials 120411 dev update notice


SQLi ordasoft booklibrary 180311 developer upgrade instructions


com semantic creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x[edit]

SID, open folders 120311


forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter[edit]

jLabs Google Analytics Counter SID


Unspecified 260211 dev announcement of security release


RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10[edit]

Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1[edit]

Frontend-User-Access 3.4.1 from LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134[edit] malicious files in script Dev update statement

B2 Portfolio[edit]

B2 portfolio 1.0 SQLi 250111


SQLI 220111 Developers resolution notice

People Component[edit]

People component sqli 150111


Jimtawl LFI 251110

Maian Media SILVER[edit]

Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article


alfurqan 1.5 sqli 151110 developer update statement


ccboard XSS and SQLi 131110 on my site at [1] Please find the respective update information

ProDesk v 1.5[edit]

LFI 091110


SQL injection 011110 developer resolution notice

Flip wall[edit]

SQL injection 011110 developer update notice link title

Freestyle FAQ 1.5.6[edit] Freestyle FAQ 1.5.6 ‎SQL Injection new version (1.9.0) is available which fixes the security issues.

iJoomla Magazine 3.0.1[edit]

iJoomla Magazine 3.0.1 RFI 090910

Clantools[edit] clantool sqli 090910


jphone LFI 090910


LFD, 777 020910 new version released 150312 version number 11

Zoom Portfolio[edit]

SID 020910


SQL Injection 020910


Teams extension SQL Injection 120810


Amblog SQLi 120810



wmtpic[edit] various 010710

Jomtube[edit] SID 220710

Rapid Recipe[edit] Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats[edit] Persistent XSS Vulnerability july 10,2010

staticxt[edit] no version number provided

quickfaq[edit] sqli 090710

Minify4Joomla[edit] LFI and xss 090710 No longer available to download

IXXO Cart[edit] SQLi LFI XSS Vulnerability developer resolution notice

PaymentsPlus[edit] 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms[edit] ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

autartimonial[edit] Sqli Vulnerability 060710

eventcal 1.6.4[edit] SQL I last update 2006-12-31 on joomlacode 040710

date converter[edit] sqli 010710

real estate[edit] RFI 210610


SQL injection 190610

Jreservation[edit] SQLi Vulnerability 190610

joomdocs[edit] xss vulnerability 190610

Live Chat[edit] Multiple Remote Vulnerabilities 190610

Turtushout 0.11[edit] SQL Injection (again) 190610

BF Survey Pro Free[edit]

BF Survey Pro Free SQL Injection Exploit 190610 Product marker as retired by the developer

MisterEstate[edit] Blind SQL Injection Exploit 190610

RSMonials[edit] XSS Exploit 190610 Believed to be 1.5.1 version

Answers v2.3beta[edit]

Multiple Vulnerabilities 180610

Gallery XML 1.1[edit]

Multiple Vulnerabilities


JFaq 1.2[edit]

JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3[edit]

Multiple Vulnerabilities


Alpha User Points[edit] LFI 180610

recruitmentmanager[edit] Upload Vulnerability 130610

Info Line (MT_ILine)[edit] reports of shell scripts in download file 120610

Ads manager Annonce[edit]

Upload Vulnerability


lead article[edit] SQLi 050610

djartgallery[edit] Multiple Vul 05/06/10

Gallery 2 Bridge[edit]

g2bridge LFI vulnerability


jsjobs SQL Injection Vulnerability


JE Poll[edit] SQL Injection Vulnerability


MediQnA LFI vulnerability version : v1.1

JE Job[edit] LFI SQLi



Stack Ideas section Ex LFI

ActiveHelper LiveHelp[edit]

XSS in LiveHelp 200510

JE Quotation Form[edit] LFI developers statement of resolution note, now known as JE Quote Form


SQL Injection Vulnerability

Seber Cart[edit]

Local File Disclosure Vulnerability Developer Update 140510

Camp26 Visitor[edit]


JE Property[edit]

JE Property Finder Upload Vulnerability


Noticeboard for Joomla "controller" Local File Inclusion Vulnerability


SmartSite com_smartsite Local File Inclusion Vulnerability

htmlcoderhelper graphics[edit]

htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio[edit]

Ultimate Portfolio Local File Inclusion Vulnerability

Archery Scores[edit]

Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager[edit]

Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410


Matamko Local File Inclusion Vulnerability 210410

Multiple Root[edit]

Multiple Root Local File Inclusion Vulnerability

Multiple Map[edit]

Multiple Map Local File Inclusion Vulnerability

Contact Us Draw Root Map[edit]

Draw Root Map Local File Inclusion Vulnerability

iF surfALERT[edit]

iF surfALERT Local File Inclusion Vulnerability


GBU FACEBOOK SQL injection vulnerability


jnewspaper (cid) SQL Injection Vulnerability


MT Fire Eagle[edit]

LFI 190410 product considered retired and to be replaced by dev


Sweetykeeper Local File Inclusion Vulnerability 120410


SQL Injection 120410

worldrates[edit] 120410



horoscope[edit] 120410

webtv[edit] 120410

diary[edit] 120410

Memory Book[edit] 120410


LFI 110410


LFI 040410


ID 040410



SQLi gigcalender 13 march 2010

heza content[edit]

SQLi heza content 13 march 2010


Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known


SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known


<endFeed />

This list is change protected, for updates or additions Mandville or lafrance or PhilD

Codes used[edit]

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia (incl 777 folders)

ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge

Future Actions & WIP[edit]

RSS feed completed

to feed VEL direct to twitter


The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville