|
⚠ Urgent Security Alert ⚠
|
 mySites.guru
|
| |
|
|
|
Security
Novarain Framework vulnerability: check your Joomla sites for nrframework
We're writing to you because one or more of your Joomla sites on mySites.guru has plg_system_nrframework installed, which has a critical vulnerability that was disclosed six weeks ago but remains unpatched on many sites.
CVE-2026-21627 (CVSS 9.5 Critical) allows unauthenticated attackers to include arbitrary PHP files, delete files, and perform SQL injection through Joomla's com_ajax endpoint. No login is required. A public exploit tool with multiple attack modes is on GitHub.
You may not recognise the name "Novarain Framework" because it's a hidden dependency. If you installed Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, Smile Pack, or MailChimp Auto-Subscribe from Tassos.gr, the framework plugin was installed automatically alongside it.
|
|
This was patched in February. Update now.
Tassos.gr released patched versions on 18 February 2026, but as of 30 March, 46.5% of affected sites in our dataset are still running vulnerable versions. The exploit is fully unauthenticated, meaning anyone on the internet can target your site without needing any credentials. Versions 4.10.14 through 6.0.37 of nrframework are affected. Update to 6.0.38 or later.
|
|
|
|
This list is based on the most recent snapshot data from your connected sites.
|
|
|
What you need to do
|
2
|
Update the Tassos extensions
Update any Tassos extension (Convert Forms, EngageBox, etc.) to the latest version via System > Update > Extensions in your Joomla admin, or download from Tassos.gr. Updating one Tassos extension automatically updates the shared nrframework plugin across all their products.
|
|
3
|
Run a security audit
If your sites were running a vulnerable version during the six weeks since disclosure, run a security audit to check for uploaded PHP shells, unauthorized admin accounts, and modified files. The exploit allows unauthenticated file inclusion and SQL injection, so attackers could have left backdoors.
|
|
4
|
Can't update? Disable it.
If your Tassos.gr subscription expired or you need time to test, disable plg_system_nrframework in System > Manage > Plugins as an interim measure. Convert Forms and EngageBox will stop working, but a broken contact form is better than a compromised server.
|
See also: Tassos.gr's own security advisory
|
|
|
Why this is serious
The exploit chains three attack primitives: arbitrary PHP file inclusion via the ajaxTaskInclude() method, arbitrary file read/delete via built-in gadget classes, and SQL injection via unparameterised database queries. Chained together, that's full site takeover.
This is the same class of vulnerability we saw with the Astroid Framework (CVE-2026-21628) earlier this month: a shared Joomla framework plugin with AJAX endpoints that bypass authentication checks. Both are hidden dependencies that most site owners don't know are installed.
Tassos.gr responded quickly with patches on 18 February. The vendor did their part. But a patch nobody installs protects nobody, and the public exploit on GitHub means the window for automated attacks is wide open.
|
|
|
|
Want someone to handle this for you?
Phil Taylor - Fixing websites since 2004
|
If you'd rather hand this off, submit a request at fix.mysites.guru. For a flat £120, the site gets patched, audited for backdoors, and handed back secure.
If I can't add value, you don't pay
|
| ent since 2012
|
|
|
|
|
|
You're receiving this because your mySites.guru account has Joomla sites with plg_system_nrframework installed.
|
|
|
|
|
