Subscribe to the Joomla! VEL newsletter
VEL = Vulnerable Extensions List
The VEL Newsletter contains regular announcements about vulnerable extensions.
If you see an extension that you use is listed then you should immediately:
- look for an alternative,
- or contact the developer for clarification.
You can of course unpublish a listed extension but this will not of itself protect your website from being compromised.
Uninstall it instead AND check that there are no remaining:
- directories and files left on the server (in public_html or httpdocs, depending upon the configuration of the server used to host your website),
- tables and rows (of the extensions table) in the database (you can check using PhpMyAdmin in your Hosting Control Panel).
Ask yourself these questions:
- when did you last back up your website?
- how resilient are you?
In other words
- if required, could you roll back to a last known 'clean' backup should the need arise?
Visit the link below to subscribe to the VEL Newsletter.
Reasons why extensions are added to the VEL
There are many but the most common in recent times has been SQL injection, resulting in a compromised database.
So check your website's database for left-behind tables and rows (of the extensions table) after you uninstall a 3rd party extension.
Other reasons include:
- SQL Injection and XSS,
- Information disclosure,
- Installer includes a tracking script,
- Directory Traversal,
- Malicious links,
- Remote code execution.