|
Helix 3 security fix JUST RELEASED – see below
Five Joomla extensions, one repeating security mistake
If you manage Joomla sites, this month has felt like the same bug on a loop. Five separate extensions, all popular, all patched in the last few weeks, and nearly every one broke the same way: a front-end AJAX or upload endpoint that runs before it checks who is calling it.
The newest is Helix3, where we found and reported an unauthenticated file write and arbitrary file delete. Before it: PageBuilder CK (unauthenticated file upload to remote code execution), SP Page Builder (a zero day being used to plant fake admins), iCagenda (file upload zero day), and the JCE editor, which has shipped a run of hardening releases after a full audit.
The shape is always the same. An endpoint checks a token, or nothing at all, but never asks whether the person calling it is actually allowed to do what they are asking. So a guest with no account uploads a file, writes to your template, or deletes something they should never be able to touch. Different developer, different extension, same missing line of code.
Every post below is free to read on the blog
|
Helix3 shipped a critical fix as “Security Update”
We found this while investigating a hacked customer site and traced the compromise to the Helix3 ajax plugin. Before the 3.1.1 patch, a guest with no login could write files into your template, delete arbitrary files, and overwrite your template settings. JoomShaper fixed it fast, but told nobody what it was: the changelog reads, in full, “Security Update”. Helix3 runs on current Joomla 4, 5 and 6, so this is not a legacy problem. Update every install to 3.1.1 now.
|
The hard part is knowing which of your sites are affected
When five extensions need patching at once, the question is never “how do I update one site”, it is “which of my sites even have these installed”. mySites.guru keeps a live inventory of every extension on every connected Joomla and WordPress site. Search once for Helix3, JCE, or any of the others, see every install and its version, and push the update across all of them without logging into each admin panel by hand.
|
|
Need help with your site?
Phil Taylor – Fixing websites since 2004
|
Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.
✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues
|
If I can't add value, you don't pay
|
mySites.guru
