2 min read

Millions of websites at risk, as Joomla high level security flaw discovered. Update now


December 14, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Millions of websites at risk, as Joomla high level security flaw discovered. Update now

If you’re running a website of any size there is a good chance that you are using a content management system (CMS).

A CMS is the piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they’re expecting to see. As such, for many websites, a CMS is an essential part of they manage to deliver content to their website’s visitors.

The CMS with the largest marketshare by far (over 50%) is WordPress – the platform which Hot for Security is running on – but next in line are Joomla and Drupal.

Although in second place, the free, open-source Joomla CMS software still powers millions of websites around the world.

Indeed, the tagline the software uses to promote itself is “Joomla! The CMS Trusted By Millions for their Websites.”


As a result of its popularity, it’s essential that website administrators keep Joomla updated and patched to help prevent hackers from exploiting security holes.

Version 3.6.5 of Joomla has just been released, addressing security issues and fixing some bugs.

The most important issue that Joomla 3.6.5 addresses is an elevated privileges flaw in all versions of Joomla from 1.6.0 – 3.6.4, which could allow a malicious attacker to modify existing user account, including resetting usernames, user group assignments and (gulp!) passwords.

The implication is that an attacker could even create a brand new account on the site they are targeting, and then escalate its privileges to give it ‘god-like’ abilities on the site, and upload a remote shell to further compromise the server.

With a vulnerability as bad as that, it’s easy to understand why Joomla is telling users to update their websites as soon as possible.

In fact, the chances are that malicious attackers are already searching the net looking for vulnerable sites.


The worry is, of course, that some websites may never be updated – making easy picking for malicious attackers.

If you run a website powered by Joomla, please take security seriously. Reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like