Vulnerable Extensions List


Vulnerable Extensions List

Vulnerable Extensions List

Jump to: navigation, search


List prior to Jnuary 2011 (now archived) Please check here also. Please also check the Extension Investigation List.



Check and Report.

Please check with the extension publisher in case of any questions over the security of their product.

Report Vulnerable extensions in the vel website

How to use this list

Items will be removed after a suitable period and not on resolution.

All known vulnerable extensions are the listed in the first column “Extension”. Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a “Contact the Developer About This Extension”. Alert Advisory details are in the center column. If the “Extension Update Link & Date Column has Not Known then it is where no update is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers – How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a “Security Release” and those who use the extension should upgrade immediately.

5-complete the resolution form on the website at from 1st May 2013

6- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page

VEL email can be found above and the JED support link is in your notice of “unpublication” and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

January 2012 and onwards Reported Vulnerable Extensions


Extension Details Date Added Extension Update Link & Date

civic crm 422

upload exploit /RFI 260413 developer release 4.3.1


xss 230413 developer release statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3

aiContactSafe 2.0.19

xss 160413 developer release statement for version 2.0.21


SQL 180313 developer release statement for version 12

Multiple Customfields Filter for Virtuemart

SQLi 18212 developers 1.6.8 update statement


Various [] 230113 developer update statement to 0.5.1

tz guestbook

Various 100113 developer release statement for 1.1.2


2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass 251212 developer update to 2.1.3 statement


SQLi 101212 developer release new version 1.13.1 – upgrade notice

Multiple Customfields Filter for Virtuemart

SQLi 18212 developers update statement

ag google analytic

Various 061212

sh404sef <3.7.0

Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 26112 developer statement

Login Failed Log

23112 ID – information disclosure developer release statement to ver 1.5.4


131112 developer update statement to version 7.9.1 151112

Joombah Jobs

Upload restriction issues 131112 developer update statement


RFI 231012 developer update statement to version 3.2 271012


SQLi + ID 221012 Developer states current version not exploitable by reported methods


SQLi Developer statement for 1.2.9

JTag [joomlatag]


Freestyle Support

SQLi developer update statement 251012


DT 011012 AceFTP 2.0.0 released. Developer statement 101012


DT 011012 *reported fixed prior to notification*

spider calendar lite

RFI 180912 developer release version 1.5 version


SQLi Rereported 180912 Developer states: no known exploits for our current versions of RokModule Joomla 2.5 – v1.3 Joomla 1.5 – v1.4


SQLi developer security release – v1.2.1 080912

En Masse cart

RFI 060812 Developer upgrade statement to 3.1.3

JCE (joomla content editor)

Upload Restriction <2.2.4 050812 Developer states current version not exploitable


SQLi XSS 31 07 12 Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released


Unrestricted uploads 160712 Developer release version 2.0.3 180712


RFI 160712 The security update version 1.5.72 advise can be found here:German English

Shipping by State for Virtuemart

elevated permissions ( 160612 Upgrade to v2.5 download commercial product 300612

ownbiblio 1.5.3

SQLi + 250512

Ninjaxplorer <=1.0.6

developer notification 250412 developer statement upgrade to 1.0.7

Phoca Fav Icon

Permissions Rewrite 150412 developer update 2.0.3 statement

estateagent improved

sqli ( 110412 developer states previous version, not current version


110412 sql (no longer maintained)

JLive! Chat v4.3.1

DT 060412 Developer reports as unproven

virtuemart 2.0.2

SQLi 050412 developers release statementCurrent version 2.0.6 released

JE testimonial

SQLi 230312 Developer states malicious report.


excessive file permission 090212 version 1.3.1 released

Quickl Form

xss 260112

آیا این پاسخ به شما کمک کرد?

افزودن به مورد علاقه ها افزودن به مورد علاقه ها    پرینت این مقاله پرینت این مقاله

در همین زمینه
Creating a basic Joomla! template (مشاهدات: 509)
Installing Joomla (مشاهدات: 729)
Changing the site favicon (مشاهدات: 526)

Powered by WHMCompleteSolution