Recently an issue was reported to the Vulnerable Extensions List team, which affected the blogging platform for Joomla, Easy Blog. After some thought we decided that it did not fall within the normal definition of a security issue that would merit listing on the VEL. It was reported to us by a site owner whose site had been hit by an unusually sophisticated spam attack: the spammer was taking advantage of Easyblog and Joomla default settings, the result was that they were able to set themselves up multiple accounts as bloggers and create blog posts containing spammy links. In this case these links ended up getting indexed by Google, even though they would not show up to a normal visitor to the site.
The first that the site owner knew of this was through Google Webmaster - he found his list of keywords being filled by Polish words related to Spongebob (e.g. spandzbob, ladzie, gniewu, mad max, etc). The site itself is in English. He then looked his website up on Google and found a whole list of bogus blog posts in Polish. Moreover, on checking the backlinks to his site he found a list of similar Spongebob related blog entries on other English language sites. Many of these blog entries still exist, presumably the site owners remain unaware of the spammy content.
Now luckily for this site owner the entries related to quite innocent material: let's face it, who doesn't like Spongebob? So probably the reputational damage to his site is not too great. But Google has a memory, and puts considerable store by site reputation, so if it starts to view your site as being spammy, there is real harm done.
We think that it is the responsibility of webmasters to understand what their site settings allow others to do on their site, which was the main reason why we did not list Easy Blog on the VEL. By default, the current version of Joomla does not allow users to register, however Joomla 2.5 did, and earlier versions of 2.5 also allowed users to self-activate by default. Anyone who runs a Joomla site that has migrated from these earlier versions will have inherited these default settings, unless they have taken the trouble to change them. What apparently some webmasters do not realise is that you do not have to have a registration form published on your site for users to be able to register - a spammer can easily create their own html form and register if your site settings allow this. There are scripts available that will do exactly this.
Prior to version 5.0.5 of Easy Blog, which was released in June 2015, the default settings allowed registered users to create and publish their own blog items. The important thing to understand is that a blog entry does not need to be visible in your site navigation in order to be accessible by Google. You may have a menu item set up on your site that shows only blog entries by an individual user (you), but anyone, including search engines, will be able to see published blog entries by other users by using the appropriate URL for the entries. All that the spammer needs to do is to link to them elsewhere, and they will be picked up by Google.