Fwd: Another Joomla Extension zero-day, and another extension provider drops Joomla 3 support

1 view
Skip to first unread message

Dorothy Firsching

unread,
Jul 9, 2026, 10:59:27 AM (22 hours ago) Jul 9
to novaj...@googlegroups.com
Holy ***.   I don't think that this affects my websites but it looks like with AI we are in for more of this kind of thing. 
Dorothy

---------- Forwarded message ---------
From: Phil Taylor <ph...@phil-taylor.com>
Date: Thu, Jul 9, 2026 at 6:38 AM
Subject: Another Joomla Extension zero-day, and another extension provider drops Joomla 3 support
To: <dfirs...@acm.org>


An actively exploited Joomla zero-day in Balbooa Forms, plus four guides on finding and cleaning a compromised site
mySites.guru
 
mySites.guru Blog

Another Joomla Extension zero-day, and another extension provider drops Joomla 3 support

Today we announce a serious critical vulnerability, already being exploited, in Balbooa Forms, a popular Joomla form builder. Up to and including version 2.4.0, anyone could upload a PHP file through a public form and run it, with no login and no token. That is full remote code execution from the open internet, and it was already being exploited when we found it. It is fixed in 2.4.1, so if you run Balbooa Forms anywhere, update now. And breaking today: JoomShaper has stopped patching Joomla 3 across SP Page Builder, Helix, and the rest of its range, with no security fixes regardless of severity. More on both below.

A flaw like that is only half the story. What usually costs people more is what happens after, because a site rarely stays clean after one pass. So the rest of this issue is about actually clearing a compromise: the reinfection hiding in a crontab you can't see, why the second wave does the real damage, how to delete thousands of malicious .htaccess files at once, and how to tell suspect content from hacked files when you're staring at a scan and not sure what to trust.

All guides are free to read on the blog

 

Zero-day

Balbooa Forms – anyone could run code on your Joomla site

Balbooa Forms Unauthenticated File Upload RCE

The frontend upload in Balbooa Forms took a file from anyone, with no login, no token, and no check on the file type. A single request could drop a PHP file into a public folder and run it: unauthenticated remote code execution, the worst outcome a web flaw can have. It was being exploited in the wild before the patch shipped. Balbooa fixed it in 2.4.1 within a day of a private report. Update every install, then check any older site for tampering.

Read the full breakdown
 

New

The Helix3 defacement that file scanners never find

The Helix3 AntonKill Defacement Wave

The "Hacked by AntonKill" defacement is hitting Joomla sites through the Helix3 framework, and it hides where most cleanups never look: the payload sits in the database, not in a file. Scan the filesystem and you'll come up clean while the defacement keeps serving. This post shows where it lives, how to clear it in one click, and how to find every affected site in your account.

See how it works
 

New

JoomShaper just stopped supporting their Joomla 3 extensions

JoomShaper Ends Joomla 3 Security Fixes

Breaking today: JoomShaper, the maker of SP Page Builder and the Helix framework, has ended support for the Joomla 3 versions of all its products. Their words: "No security patches, regardless of severity." If a critical flaw turns up in the Joomla 3 build of SP Page Builder tomorrow, it does not get fixed. It's a defensible call, but it leaves a lot of live sites exposed, and JoomShaper's own extensions have thrown up serious flaws lately. Here's who is affected and what to do.

See who's affected
 

When a site does get hit

New

Reinfected? Check Every Crontab

Reinfected? Check Every Crontab, Not Just Yours

New

Hacked Yesterday, Exploited Today

Hacked Yesterday, Exploited Today: Why One Cleanup Is Never the End

New

Delete Malicious .htaccess Files in Bulk

Delete 9,000 Hacker .htaccess Files in One Click

New

Suspect Content vs Hacked Files

Suspect Content vs Hacked Files: One Big Difference

 
Phil Taylor

Need help with your site?

Phil Taylor – Fixing websites since 2004

Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues
Get expert help today

If I can't add value, you don't pay

mySites.guru

Website management since 2012

 
Unsubscribe
Reply all
Reply to author
Forward
0 new messages