Serious Joomla Vulnerability found but we’ve got you Covered!


It is mid-summer now but security issues take no vacation. Actually they find the most inappropriate time to appear and make our lives more interesting, to say the least. On Thursday, 25 July the Joomla! Project announced the availability of Joomla 3.1.4/2.5.13 and many users upgraded their websites because the new releases provide tons of useful new features and bug fixes. One will think: job well done, it is time to hit the beach! But… On Thursday, 01 August, the Joomla! Project surprisingly  announced the immediate availability of Joomla! 3.1.5/2.5.14. Apparently not much time to sip exotic summer cocktails was allowed. The reason for this extremely short period between the two versions was that a critical level security issue was discovered just after the previous release and it had the potential to affect all Joomla! CMS versions. Yes, that's correct  - we are talking about all the Joomla! sites out there. All versions are affected - 1.5, 1.6, 1.7, 2.5 and 3. Sounds scary, right? Not if you're hosted on SiteGround servers!

Vulnerability Explained

The vulnerability allows Joomla websites to be hacked through the Media Manager. To exploit the vulnerability the attacker should find a Joomla site that allows access to the media manager to its registered users. Then s/he will register an account and use the vulnerability to upload a malicious shell script to this site through the Media Manager. After that the attacker can do pretty much anything – edit your files, access your database, delete information, etc.

How did we resolve the issue for all of our clients?

Step 1: We applied a server level solution

As soon as the vulnerability was announced our security team started to develop a server level patch. This is our standard practice when there is an issue that can affect a large number of installations. The idea is to create a layer of protection to all Joomla websites hosted by SiteGround regardless of their current version. We analyzed carefully the vulnerability, the exploit and the payload and came up with ingenious solution that blocks the upload of malicious files through the Media Manager on a server level.

Step 2: Upgrading Joomla 2.5 and 3

Our Joomla! Auto Update system upgraded the 2.5.x/3.x applications on our servers to the new versions 2.5.14 and 3.1.5. These were released very timely by the Joomla organization and are no longer vulnerable. Once again the Auto Update system we have developed secured our customers’ websites without any effort on their side.

Step 3: Patching Joomla 1.5

As Joomla 1.5 is no longer officially supported, there was no upgrade available for it. However, the Joomla team has released a security patch that should be applied manually and we went the extra mile and patched all the old Joomla versions hosted on our servers manually ourselves.

What to do if you're not hosted by SiteGround?

The official solution for Joomla! 2.5.x and 3.x sites is to upgrade your application to the latest stable releases - 2.5.14 and 3.1.5. Joomla! 1.5.x users should download this Joomla patch, extract the .zip file and manually upload the enclosed files into place.

All in all, if you're a SiteGround customer you can sit back and enjoy your summer vacation, we got you covered! Otherwise, you will have to put down your cocktail and patch your Joomla! site before it is too late. Of course, you can always transfer to us.

Senior Web Apps Engineer and Performance Specialist

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.


  1. Reply August 5, 2013 / 08:30 TBSiteGround Team

    Thanks Siteground for being proactive with this - much appreciated. T.

  2. Reply August 6, 2013 / 06:30 MattSiteGround Team

    It's great to see you being proactive about security. However, it needs to clarified that no one should be using versions 1.6, 1.7. Those versions are STS releases and are no longer supported and insecure.

  3. Reply August 6, 2013 / 11:13 RichardSiteGround Team

    That's great to hear. I like the fact a problem is fixed before I know about it, one less thing to stress about.

    So, how to make Siteground better still? how about the same 'response' to Opencart? wow, automated bug fixing for my Two favorite programmes, that's 2 things less to stress about :)

  4. Reply August 6, 2013 / 12:14 KevinSiteGround Team

    Thanks SG! Wasn't even aware there was a vulnerability. You guys rock!

  5. Reply August 6, 2013 / 17:18 JenniferSiteGround Team

    Thanks for staying on top of it. I have Joomla 3 but I have disabled the auto update because of my template compatibility. Do I need to change anything? Thanks!

    • Reply August 7, 2013 / 00:38 Daniel KanchevSiteGround Team

      Hi Jennifer,

      I checked your Joomla! CMS site and I can confirm that it is not vulnerable - our server level protection rule got you covered. However, you should really upgrade your site to the latest stable Joomla! release (3.1.5) because it also offers many new features. If you have any questions regarding the upgrade you can send me an email to I will be glad to assist you and check your template.

  6. Reply August 14, 2013 / 04:08 MoeSiteGround Team

    Makes you feel lucky to have such a great hosting provider!

  7. Reply August 14, 2013 / 12:40 akinSiteGround Team

    Siteground is the best ISP in the world!. i can actually happily sleep and be rest assured my clients websites are up 24/7. Thank you.

  8. Reply August 26, 2013 / 23:11 Ceeland GregorySiteGround Team

    I am using joomla 1.5.26.
    Could you tell me how to upgrade to latest version 3.15?
    Thank you


* (Required)