Subscribe to the Joomla! VEL newsletter

joomla support cheshire manchester merseyside north west uk

VEL = Vulnerable Extensions List

The VEL Newsletter contains regular announcements about vulnerable extensions.

If you see an extension that you use is listed then you should immediately:

  • look for an alternative,
  • or contact the developer for clarification.

You can of course unpublish a listed extension but this will not of itself protect your website from being compromised.

Uninstall it instead AND check that there are no remaining:

  • directories and files left on the server (in public_html or httpdocs, depending upon the configuration of the server used to host your website),
  • tables and rows (of the extensions table) in the database (you can check using PhpMyAdmin in your Hosting Control Panel).

Ask yourself these questions:

  • when did you last back up your website?
  • how resilient are you?

In other words

  • if required, could you roll back to a last known 'clean' backup should the need arise?

Visit the link below to subscribe to the VEL Newsletter.

Browse the VEL.

Subscribe to the VEL Newsletter.


Reasons why extensions are added to the VEL

There are many.

The most common in 2017 has been: SQL injection i.e. compromised database.

This is why you should check the database for left-over tables and rows (of the extensions table).

Others include:

  • SQL Injection and XSS,
  • Information disclosure,
  • Abandonware,
  • Installer includes a tracking script,
  • Directory Traversal,
  • Malicious links,
  • Remote code execution.

Just occasionally you may see a more unusual reason.

Here are two examples.

HDW Player,4.0.0, RCE

Posted: 24 Oct 2017 03:04 PM PDT

HDW Player,4.0.0 and all other versions, remote code execution


"Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that this extension should be regarded as malicious and should be permanently removed from any site using it."


Google Maps by Reumer, 3.5, Malicious update

Posted: 20 Oct 2017 03:08 PM PDT

Google Maps by Reumer, from, version 3.5, malicious update


"Version 3.3 of this plugin is listed in the JED and appears to be clean. However once installed, the Joomla update manager prompts you to update this extension to a version 3.5 (which is not officially published). This version contains hidden backlinks and potential backdoor, with tracking information about the website running the plugin and user."


Make Joomla! CMS Security YOUR #1 Priority

joomla support cheshire manchester merseyside north west ukWe offer Joomla! coaching, help and support to businesses and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.

Learn how to manage Joomla! website security.