The Vel team have once again been made aware of a large list of extension exploits posted by one user on a exploit reporting site. We contacted several of the developers for their comments as well as our team checking these reports,
Some of the developers contacted us to confirm the reports were fake or "greetz spam".

Here are some clues that made us suspicious.

We currently have several positions we need to fill on our team.
Non coders welcome to apply.

Developer Coordinator - Supports developers in getting exploits resolved.

Exploit Researcher - Locates latest exploits via news feeds and website links.

Extension Tester - Tests Updates against POC A poc tester is expected to be able to do the following. Download a suspected vulnerable extension. Install to the latest version of joomla. Test proof of concept from alerts to confirm or deny vulnerable extensions. They should be able to test all methods of exploit and prepare a summary of findings.

Apply for roles at


On 11th May 2018 the VEL were alerted to an apparently malicious extension. A user had found that the extension Nexevo Contact Form had PHP code hidden inside a PNG file, and had reported it to the JED.

We investigated and found this to be correct. The file was modules/mod_nexevocontact/helpers/loading.png. Upon further review of the code, we found additional malicious code in the other module helper files, dateSelect.php and imageCache.php. Together, what this code was designed to do, was to install a malicious system plugin called System - Section. The code for the plugin was hidden in the PNG file.

System - Section is disguised as a legitimate plugin for JComments. In reality it has nothing to do with JComments, and the only thing that it actually does is to take content from a 3rd party site and insert it into page output. It is probably intended mainly for inserting spam links, but the way that it works is highly insecure, and there is the possibility of also executing PHP code drawn from the 3rd party site, so that it is a true back door and a high level security risk. System - Section is malware, it has no legitimate purpose, and if you ever find it installed on your site you should remove it immediately and treat your site as having been hacked. You can find advice on how to deal with this in the Joomla! security forums at .

Most of the work of the VEL involves dealing with the same two vulnerabilities: sql injection and cross-site scripting. They are so common that there are standard methods for preventing them by escaping untrusted input.

Recently we received a more unusual report, from a security researcher, concerning a CSV injection vulnerability in AcyMailing (see It quickly became apparent that this was a wider issue of insecurities in csv export files rather than one specific to AcyMailing. The problem arises because, when imported into a spreadsheet, some special characters can be interpreted as formulae. In Excel in particular, it is possible for an attacker to run commands on a user's computer, for example opening up other programs such as Windows PowerShell. However Excel is not alone in having vulnerabilities, it may (for example) also be possible to exploit Google Sheets to steal user data through crafted data. The more we looked into it, the more it looked like one big fat can of worms.

Have you seen a vulnerability in a Joomla extension being reported elsewhere, but it is not listed on the VEL?

If so, please report it to the VEL using our reporting form here: . It only takes a couple of minutes and it gives us an opportunity to investigate. While we do actively monitor other sites we cannot read the entire internet on a daily basis and it really helps if others take the time to do this.

Things not to do:-

  • ignore it
  • post it to boost your ego on Twitter, but do nothing to report it to the VEL

Remember that you are doing a service to the entire Joomla community in ensuring that accurate information is conveyed to users about extension vulnerabilities.