Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Baddies Caught Exploiting Critical Joomla Extension Bugs, Leaving Millions of Websites Vulnerable to Attack


Critical Joomla extension bugs have been discovered, leaving millions of websites vulnerable to attack. The vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog, with fixes already available for both affected extensions. Developers are urged to patch these flaws to prevent exploitation and protect their sites from attackers.

  • Millions of websites worldwide are vulnerable to attack due to critical extension bugs in Joomla.
  • The vulnerabilities have a maximum CVSS score of 10, indicating high severity and allowing attackers to gain remote control over affected sites.
  • iCagenda's attachment feature allows attackers to upload malicious PHP files, while Balbooa Forms' frontend upload endpoint accepted files from anonymous visitors without authentication or checks.
  • Patch versions have been released for both extensions: iCagenda (4.0.8) and Balbooa Forms (2.4.1), but exploitation continues against sites that haven't updated their extensions.



  • Baddies caught exploiting critical extension bugs in the open-source content management system (CMS) Joomla have left millions of websites worldwide vulnerable to attack. The vulnerabilities were discovered by the Cybersecurity and Infrastructure Security Agency (CISA), which added two critical bugs to its Known Exploited Vulnerabilities catalog. These bugs are present in iCagenda, an events calendar extension for Joomla, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads.

    The discovered vulnerabilities have a maximum CVSS score of 10, indicating their high severity. This allows attackers to upload arbitrary files that can be executed as PHP code on the server, thereby gaining remote control over the affected site. The CISA has urged federal civilian agencies to patch against these flaws under its vulnerability management directive, but the warning is also relevant to the wider Joomla community.

    According to researchers, the iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature. This feature was intended for legitimate users to contribute events to a site's calendar. However, an attacker could exploit this by uploading a malicious PHP file that would execute as code on the server. The attacks began with automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers.

    Similarly, the Balbooa Forms bug is much the same story. The extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. This made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. Researchers discovered this flaw while investigating an abuse report from a customer whose Joomla site was already under attack.

    Fortunately, patch versions 4.0.8 and 3.9.15 were released for iCagenda in mid-June, and Balbooa Forms responded with version 2.4.1 on July 9. However, researchers warned that exploitation is continuing against sites that have yet to update their extensions.

    It's worth noting that the attackers did not wait around for release notes before exploiting these vulnerabilities. While this could be a negative, the fixes are already available for both extensions. Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform.

    The CISA's decision to add these vulnerabilities to its catalog highlights the importance of staying up-to-date with security patches and monitoring for potential attacks. As the threat landscape continues to evolve, it is essential for developers, administrators, and users to be vigilant in their efforts to protect themselves against such exploits.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Baddies-Caught-Exploiting-Critical-Joomla-Extension-Bugs-Leaving-Millions-of-Websites-Vulnerable-to-Attack-ehn.shtml

  • https://www.theregister.com/security/2026/07/14/baddies-caught-exploiting-extensions-bugs-with-perfect-10-scores-on-vulnerable-joomla-websites/5271001


  • Published: Wed Jul 15 01:00:56 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us