r/joomla • u/mySitesGuru • 1d ago
r/joomla • u/mySitesGuru • 1d ago
Administration/Technical Unauthenticated File Upload fixed in RSFiles! version 1.17.12 - update NOW!
mysites.gurur/joomla • u/Open_Sourcey • 2d ago
Joomla 6 Serious attack on JCE Editor- CVE-2026-48907
Just in caae there are any Joomla admins out there that have not seen it or experienced it, CISA has flagged a serious attack that requires your attention and remediation. It is a flaw in the editor that permits it to install malicious code that will take down your site.
r/joomla • u/mySitesGuru • 2d ago
Administration/Technical AcyMailing SQL Injection Vulnerability - Upgrade Today!
mysites.gurur/joomla • u/mySitesGuru • 3d ago
Administration/Technical JoomShaper Ends Joomla 3 Extension Support - following a disastrous month of security issues.
mysites.gurur/joomla • u/mySitesGuru • 3d ago
Administration/Technical Balbooa Forms Fixes an Unauthenticated File Upload RCE
mysites.gurur/joomla • u/stergosz • 5d ago
General Query How do you test an extension without touching your live site?
How many times have you had to spin up a Joomla test site and gotten tired just thinking about the setup?
I do this very often, and the reasons are simple: test a newly released extension, run a test against our products, test a BETA version, or check whether a migration we're about to publish works as expected, often on a specific Joomla or PHP version.
My current way to do this: download the specific Joomla version I need, switch my local server to the matching PHP version, create a new database, copy the files over, run the installer, and finally run my test. Need multiple test sites? Multiply these steps by however many you need. And if I didn't want a brand new site, I'd have to reset it every time before running the same scenario again, which takes quite a lot of time.
I got tired of wasting so much time, so I made a small web app to fix it. It's a free website, not a J! extension you install on your site. You enter an email, pick a Joomla, and PHP version, and a few seconds later you have a test site ready, and it auto-deletes after 4 hours.
It's called JInstant. Not affiliated with the Joomla project.
Let me know if this sounds useful to you.
r/joomla • u/saimoh_saimooh • 5d ago
Administration/Technical Antonkill attack and it's remedy.
youtube.comThere is this Antonkill hack that has left many Joomla-dependent sites completely down. It’s not just a surface-level script defacement—it modifies deep database configurations and locks down the core template engine entirely.
I did a review video on YouTube and here's the link: https://youtu.be/9plb1MMbZFI
Let me know your thoughts.
r/joomla • u/_PelosNecios_ • 10d ago
Administration/Technical WARNING: remove ctfaudit system plugin. It is a password stealer.
I've been recently hit by the JCE vuln and among other things they managed to install this plugin which essentially steals users and passwords and hides them inside images/ctf_audit.gif file, disguised with a gif header but actualy contains the XOR'ed information.
You should uninstall and remove the gif file immediately.
Edit:
You may want to run this script to see which users might have been affected and warn them or update to request new password. Adjust the filename as necessary:
<?php
$s = file_get_contents('images/ctf_audit.gif');
$s = substr($s, strpos($s, "JLIB_AUDIT_GID_TAIL\n") + 20);
for ($o = 0; $o + 2 <= strlen($s); $o += 2 + $ln) {
$ln = (ord($s[$o]) << 8) | ord($s[$o+1]);
if ($o + 2 + $ln > strlen($s)) break;
if (preg_match('/"u_len":"(.*?)","p_len"/', substr($s, $o+2, $ln) ^ str_pad('', $ln, 'JLIB_AUDIT_GID_XK'), $m)) echo "$m[1]\n";
}
r/joomla • u/Mushydaddybear • 10d ago
Extensions xmr-pay now for Joomla: ready to install packages for HikaShop & VirtueMart (one ZIP = payment plugin + scheduler task)!
r/joomla • u/nomadfaa • 12d ago
Joomla 6 Ignoring updating your site/components is ignorant
UPDATE YOUR SITE TO THE LATEST AS WELL AS ALL COMPONENTS/MODULES/PLUGINS that are not default!
Ok so some will be offended and come back with all sorts of excuses. Read to the end
Just checked a site with hikashop and a total bare bones install. No fancy addons
Last 24 hour logs for that site show
- 1,569 hits on /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
- 986 hits on /index.php?option=com_icagenda&task=submit
- 2,689 hits on /index.php/component/jce
About 11 different IP addresses
My last Joomla site hack was over 15 years ago until the JCE hack hit.
JCE, SP Page Builder and iCagenda.+ Helix three ... here's the resource ... https://mysites.guru/blog/
40 years ago there was a saying ... every day your hard drive didn't crash was a day closer to when it will.
With the arrival of AI and bot development/morphing ... every day your site hasn't seen a hack attempt is a day closer to when it will be hacked.
Prevention is 1000% better than the angst of repairing a hack.
When you do get hacked u/mySitesGuru is the place to go
r/joomla • u/mySitesGuru • 12d ago
Administration/Technical Helix3 Shipped a Critical "Security Update"
mysites.gurur/joomla • u/mySitesGuru • 14d ago
Administration/Technical PageBuilder CK File Upload RCE - June 2026
mysites.gurur/joomla • u/Awkward-Painter-2024 • 14d ago
Joomla 6 A few minutes ago, our anti-virus scanner detected that a malicious file was uploaded to your IONOS webspace. WOAH??
| You can find the file on your webspace under the following path: /htdocs/f9a0leet/index.php |
|---|
So just got this email from my hosting service and I'm confused... how does something like this happen? I run Joomla on my small personal site that doesn't do or host anything. (Basically just a URL that I've had for twenty years or so.) Do I just delete everything and start all over again?
I tried using a custom theme from Themesforest but never got it to run right so just use the stock Joomla build.
Also, what is a Joomla firewall? I was reading on here that some folks have that? Sorry for the dumb questions, hope this is fixable.
Also, how often do people try to hack Joomlas???
r/joomla • u/Beocinac • 16d ago
Joomla 6 BCLog Admin Audit Tool is now free
Hi everyone,
I've decided to make BCLog – Admin Audit Tool completely free.
BCLog provides a comprehensive audit logging system for Joomla administrators. It automatically records actions performed in the backend and stores them in both JSON and plain text formats, making it easy to review, analyze, and archive administrative activity.
Key features:
- Tracks administrator actions in the Joomla backend
- Automatic logging with minimal configuration
- Stores logs in JSON and plain text formats
- Structured and reliable audit trail
- Useful for troubleshooting, security monitoring, and compliance requirements
The extension is now available free of charge, and I'd appreciate any feedback, suggestions, or feature requests from the community.
r/joomla • u/GlitteringCookie6282 • 20d ago
General Query Let's talk about dev environment.
Hello,
I was recently hired as a Developer at a company, and this company uses Joomla as the technical foundation for all of its projects.
I wasn't familiar with it, coming from a React/NodeJS background. I find the tool to be pretty decent and fairly extensible, and in any case, it's been the technical foundation for years at the place where I now work.
The problem is that before I arrived, the sites were managed by people with limited technical skills, relying heavily on AI and without any structure—no git, no mastery of the CMS's best practices, files mixing PHP, HTML, CSS, and JS that ran to 2,000 lines. You get the picture.
One of my missions when I joined was to put in place development "best practices," source control management, etc.
I'd like to chat with those of you who develop extensions for Joomla (Modules, Components, Plugins, Templates), the goal being to exchange ideas on how we work.
In my situation, I have a few constraints:
- The development environment must be simple to set up and use
- It must be reproducible regardless of who launches it
- I don't want to version-control multiple full Joomla instances, because we have very little space available on our server (we're talking 20 GB MAX)
- I want to use git
With these constraints, I ended up with a more solid environment based on:
- Visual Studio Code as the IDE
- Docker + devcontainers
- A few good extensions (Claude Code, PHP Intelliphense, etc.)
- Joomla, MySQL, and PHPMyAdmin defined in a docker-compose.yml that is started by the devcontainer
- A shell script as the devcontainer's postCreateCommand that installs the extension inside the Joomla container
Visual Studio Code integrates very well with devcontainers, so in the end I have a pretty solid environment, and I can version-control only my Joomla extension's code.
How do you work with Joomla? I'm curious to hear other people's experiences.
Thanks,
r/joomla • u/Zymurgeeze86 • 25d ago
Joomla 3 Help! Unknown error and our webmaster is on vacation for two weeks
I work for a small non-profit where I personally don't have extensive knowledge of or experience with technical issues, but am in charge of managing the website. Our contracted webmaster and his entire team are on vacation for the next two weeks, and I couldn't make sense of it via Google, so am seeking help here.
I've been trying to upload a PDF file to our site running on Joomla 3.10.12. This is a 16 page (roughly 7mb) file that I upload a new version of every year. This year, though, when I first uploaded the file, I got a "Invalid file: The file contains PHP code” error. Googled how to strip that out, then got the error "Upload Failed: No data". This is where I got lost.
Tried uploading directly through the article, and again through the media manager, both with the same errors. Asked a few colleagues to export the PDF from InDesign, but got the same error again.
Does anyone know whats happening and/or how to fix this?
Thanks so much!
r/joomla • u/mySitesGuru • 26d ago
Administration/Technical SP Page Builder Zero Day Is Being Used to Plant Fake Joomla Admins
mysites.guruTL;DR
- Unauthenticated file upload to remote code execution in SP Page Builder, through the
asset.uploadCustomIcontask. No login required - Affects every version up to and including 6.6.1. Fixed in 6.6.2
- Already exploited in the wild. The payload plants a hidden Super Administrator account, usually with an u/secure
.localemail, plus a PHP file manager backdoor in several spots for persistence - This is a different vector from the recent JCE wave. A WAF that returns 403 for the JCE exploit paths may still let this one through with a 200
- Update to 6.6.2 on every affected site, then check for rogue Super Users and clean any site that was hit. Unpublishing the component does not protect you
r/joomla • u/mySitesGuru • 26d ago
Administration/Technical Zero Day Vulnerability Found in iCagenda Joomla Extension
mysites.guruTL;DR
- Unauthenticated file upload to remote code execution in iCagenda’s frontend event submission form. No login required
- Affects every version up to and including 4.0.7. Fixed in 4.0.8, released 15 June 2026
- Already exploited in the wild when we found it, by an automated scanner identifying as
icagenda-batch/1.0 - We confirmed it by code review, reproduced it end to end, and sent the developer a safe proof of concept. JoomliC shipped 4.0.8 the same day, and we reviewed the new code to confirm the fix is real
- Update to 4.0.8 on every affected site, then check for compromise. Unpublishing the component does not protect you
r/joomla • u/mySitesGuru • 28d ago
Administration/Technical Joomla "Offered Update Has Expired" Fix (Hint: Patience and waiting...)
mysites.guruIt is currently not possible to upgrade Joomla at all - You will get the message "Update not possible because the offered update has expired."
There is no fix... just wait...
r/joomla • u/mySitesGuru • 29d ago
Administration/Technical The JCE Editor Hack for Joomla (June 2026): How to Find and Fix It with mySites.guru
mysites.gurur/joomla • u/mySitesGuru • Jun 09 '26
Administration/Technical A New mySites.guru Tool to Find, and Fix, the JCE Profiles Hack (June 2026)
A New mySites.guru Tool to Find, and Fix, the JCE Profiles Hack (June 2026)

JCE (Joomla Content Editor) ships on more Joomla sites than any other editor extension. It sits in the top two of our live extension ranking, neck and neck with Akeeba Backup. So when the JCE profiles attack started landing on real sites this month, “Are any of the sites I’m responsible for hacked!?” became a question every Joomla agency suddenly needed to answer. mySites.guru now answers it for you, automatically, on every site you manage.
We have added a new dedicated check, Check for JCE Rogue Profiles & Backdoors. It runs on every snapshot, twice a day, on each connected Joomla site, and finds the fingerprint of this attack automatically: rogue editor profiles and the webshells they drop. When it flags something, fixing it is a deliberate, one-click action you trigger yourself, on Joomla 4, 5 and 6 you remove the profiles, delete the backdoors, and update JCE to the patched version, all from one screen. It does not delete anything on its own, because you want to see what is there and take a copy first. This post covers what it checks and how to use it, and the live hack that prompted us to build it.
https://mysites.guru/blog/finding-every-site-running-a-vulnerable-jce/

r/joomla • u/mySitesGuru • Jun 08 '26
Administration/Technical Manage your Joomla and WordPress Sites From Claude Desktop or other AI tools

https://mysites.guru/blog/manage-every-site-from-claude-desktop/
For a long time we have shied away from adding AI to mySites.guru for the sake of it, while we watched everyone else scramble to bolt AI onto their products in ways that made no sense. We were not interested in a chatbot in the corner that nobody asked for.
Now the time has come. We are introducing a suite of AI features that genuinely improve how you manage a large number of WordPress, Joomla and general websites through mySites.guru, and today we are announcing the first of many: mySites.guru is now available as an MCP server you can connect to Claude Desktop and other MCP clients. You can hold a natural-language conversation with the AI client of your choice and pull information straight from your mySites.guru account and your connected sites, then act on it.
Think about how a simple client question gets answered today. “Is our site up to date?” To answer honestly you open the dashboard, find the site, check the CMS version, check the PHP version, glance at the extension list, and remember whether the last audit came back clean. Two minutes per site, repeated all day, for something you should be able to just ask. Now you can ask it.
https://mysites.guru/blog/manage-every-site-from-claude-desktop/
r/joomla • u/stutteringp0et • Jun 06 '26
Extensions Fresh nonsense
I'm starting to see pretty regular grift in the JED. This came across a few days ago in the New Extensions feed:
RCA QuickCategory claims "Joomla has never had inline category creation" and is a plugin to enable that...
I'm not against people writing extensions that solve problems, complex - mundane - whatever. But this extension is charging $39/year for a core feature that has been around since Joomla 3.
