Vulnerable Extensions List


Vulnerable Extensions List

Vulnerable Extensions List

Jump to: navigation, search


List prior to Jnuary 2011 (now archived) Please check here also. Please also check the Extension Investigation List.



Check and Report.

Please check with the extension publisher in case of any questions over the security of their product.

Report Vulnerable extensions in the vel website

How to use this list

Items will be removed after a suitable period and not on resolution.

All known vulnerable extensions are the listed in the first column “Extension”. Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a “Contact the Developer About This Extension”. Alert Advisory details are in the center column. If the “Extension Update Link & Date Column has Not Known then it is where no update is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers – How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

۱- Solve the issues.

۲- Attach the new zip file at your actual JED listing.

۳- Change the extension version at JED listing.

۴- Make sure to include a notice in the JED description to the fact that the new release is a “Security Release” and those who use the extension should upgrade immediately.

۵-complete the resolution form on the website at from 1st May 2013

۶- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page

VEL email can be found above and the JED support link is in your notice of “unpublication” and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

January 2012 and onwards Reported Vulnerable Extensions


Extension Details Date Added Extension Update Link & Date

civic crm 422

upload exploit /RFI ۲۶۰۴۱۳ developer release 4.3.1


xss ۲۳۰۴۱۳ developer release statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3

aiContactSafe 2.0.19

xss ۱۶۰۴۱۳ developer release statement for version 2.0.21


SQL ۱۸۰۳۱۳ developer release statement for version 12

Multiple Customfields Filter for Virtuemart

SQLi ۱۸۲۱۲ developers 1.6.8 update statement


Various [] ۲۳۰۱۱۳ developer update statement to 0.5.1

tz guestbook

Various ۱۰۰۱۱۳ developer release statement for 1.1.2


۲٫۱٫۲, ۲٫۱٫۱, ۲٫۱٫۰ and 2.1.0RC5 are vulnerable to an authentication bypass ۲۵۱۲۱۲ developer update to 2.1.3 statement


SQLi ۱۰۱۲۱۲ developer release new version 1.13.1 – upgrade notice

Multiple Customfields Filter for Virtuemart

SQLi ۱۸۲۱۲ developers update statement

ag google analytic

Various ۰۶۱۲۱۲

sh404sef <3.7.0

Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 ۲۶۱۱۲ developer statement

Login Failed Log

۲۳۱۱۲ ID – information disclosure developer release statement to ver 1.5.4


۱۳۱۱۱۲ developer update statement to version 7.9.1 151112

Joombah Jobs

Upload restriction issues ۱۳۱۱۱۲ developer update statement


RFI ۲۳۱۰۱۲ developer update statement to version 3.2 271012


SQLi + ID ۲۲۱۰۱۲ Developer states current version not exploitable by reported methods


SQLi Developer statement for 1.2.9

JTag [joomlatag]


Freestyle Support

SQLi developer update statement 251012


DT ۰۱۱۰۱۲ AceFTP 2.0.0 released. Developer statement 101012


DT ۰۱۱۰۱۲ *reported fixed prior to notification*

spider calendar lite

RFI ۱۸۰۹۱۲ developer release version 1.5 version


SQLi Rereported 180912 Developer states: no known exploits for our current versions of RokModule Joomla 2.5 – v1.3 Joomla 1.5 – v1.4


SQLi developer security release – v1.2.1 ۰۸۰۹۱۲

En Masse cart

RFI ۰۶۰۸۱۲ Developer upgrade statement to 3.1.3

JCE (joomla content editor)

Upload Restriction <2.2.4 ۰۵۰۸۱۲ Developer states current version not exploitable


SQLi XSS ۳۱ ۰۷ ۱۲ Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released


Unrestricted uploads ۱۶۰۷۱۲ Developer release version 2.0.3 180712


RFI ۱۶۰۷۱۲ The security update version 1.5.72 advise can be found here:German English

Shipping by State for Virtuemart

elevated permissions ( ۱۶۰۶۱۲ Upgrade to v2.5 download commercial product 300612

ownbiblio 1.5.3

SQLi + ۲۵۰۵۱۲

Ninjaxplorer <=1.0.6

developer notification ۲۵۰۴۱۲ developer statement upgrade to 1.0.7

Phoca Fav Icon

Permissions Rewrite ۱۵۰۴۱۲ developer update 2.0.3 statement

estateagent improved

sqli ( ۱۱۰۴۱۲ developer states previous version, not current version


۱۱۰۴۱۲ sql (no longer maintained)

JLive! Chat v4.3.1

DT ۰۶۰۴۱۲ Developer reports as unproven

virtuemart 2.0.2

SQLi ۰۵۰۴۱۲ developers release statementCurrent version 2.0.6 released

JE testimonial

SQLi ۲۳۰۳۱۲ Developer states malicious report.


excessive file permission ۰۹۰۲۱۲ version 1.3.1 released

Quickl Form

xss ۲۶۰۱۱۲

آیا این پاسخ به شما کمک کرد?

افزودن به مورد علاقه ها افزودن به مورد علاقه ها    پرینت این مقاله پرینت این مقاله

در همین زمینه
Creating a basic Joomla! template (مشاهدات: ۵۰۹)
Installing Joomla (مشاهدات: ۷۲۹)
Changing the site favicon (مشاهدات: ۵۲۶)

Powered by WHMCompleteSolution