On 11th May 2018 the VEL were alerted to an apparently malicious extension. A user had found that the extension Nexevo Contact Form had PHP code hidden inside a PNG file, and had reported it to the JED.

We investigated and found this to be correct. The file was modules/mod_nexevocontact/helpers/loading.png. Upon further review of the code, we found additional malicious code in the other module helper files, dateSelect.php and imageCache.php. Together, what this code was designed to do, was to install a malicious system plugin called System - Section. The code for the plugin was hidden in the PNG file.


System - Section is disguised as a legitimate plugin for JComments. In reality it has nothing to do with JComments, and the only thing that it actually does is to take content from a 3rd party site and insert it into page output. It is probably intended mainly for inserting spam links, but the way that it works is highly insecure, and there is the possibility of also executing PHP code drawn from the 3rd party site, so that it is a true back door and a high level security risk. System - Section is malware, it has no legitimate purpose, and if you ever find it installed on your site you should remove it immediately and treat your site as having been hacked. You can find advice on how to deal with this in the Joomla! security forums at forum.joomla.org .

Most of the work of the VEL involves dealing with the same two vulnerabilities: sql injection and cross-site scripting. They are so common that there are standard methods for preventing them by escaping untrusted input.

Recently we received a more unusual report, from a security researcher, concerning a CSV injection vulnerability in AcyMailing (see https://www.owasp.org/index.php/CSV_Injection). It quickly became apparent that this was a wider issue of insecurities in csv export files rather than one specific to AcyMailing. The problem arises because, when imported into a spreadsheet, some special characters can be interpreted as formulae. In Excel in particular, it is possible for an attacker to run commands on a user's computer, for example opening up other programs such as Windows PowerShell. However Excel is not alone in having vulnerabilities, it may (for example) also be possible to exploit Google Sheets to steal user data through crafted data. The more we looked into it, the more it looked like one big fat can of worms.

Have you seen a vulnerability in a Joomla extension being reported elsewhere, but it is not listed on the VEL?

If so, please report it to the VEL using our reporting form here: https://vel.joomla.org/submit-vel . It only takes a couple of minutes and it gives us an opportunity to investigate. While we do actively monitor other sites we cannot read the entire internet on a daily basis and it really helps if others take the time to do this.

Things not to do:-

  • ignore it
  • post it to boost your ego on Twitter, but do nothing to report it to the VEL

Remember that you are doing a service to the entire Joomla community in ensuring that accurate information is conveyed to users about extension vulnerabilities.

The VEL are happy to announce the release of a JSON-formatted feed of extensions on the VEL live and resolved lists.

The feed and its data are licensed under the GPL, and may be used in any way compatible with the GPL, including being used in commercial plugins. We encourage the development of plugins that can use this data.

You can find out more here.

Please contact the developer for more information

abandoned trolley

The VEL team have introduced a new listing category for abandon ware, while not always vulnerable to exploits, projects abandoned may in time introduce an entry to exploit websites.


Reporting is easy and consists of a few simple questions. Your Name & Your Email, so we can thank you for your report,  obviously the extension name,  Extension url so we can check it out and also reason you believe its abandoned.
View the abandoned list at https://vel.joomla.org/abandonware and report them via the abandon ware form