Critical Joomla Framework Vulnerabilities Expose Sites to RCE and Data Theft
Independent researcher p1r0x, in collaboration with SSD Secure Disclosure, has uncovered severe vulnerabilities in Joomla extensions relying on the Novarain/Tassos Framework (now rebranded as Tassos Framework). The flaws enable SQL injection, unauthenticated file reads, and file deletions, which attackers can chain to achieve administrator account takeover and remote code execution (RCE) on unpatched systems.
Affected Extensions and Framework
The vulnerabilities impact multiple popular Joomla extensions that depend on the plg_system_nrframework plugin, including:
- Convert Forms (v3.2.12 – v5.1.0)
- EngageBox (v6.0.0 – v7.1.0)
- Google Structured Data (v5.1.7 – v6.1.0)
- Advanced Custom Fields (v2.2.0 – v3.1.0)
- Smile Pack (v1.0.0 – v2.1.0)
- Novarain/Tassos Framework (v4.10.14 – v6.0.37)
Exploit Mechanics
The flaws stem from weak AJAX handling in the framework, particularly a flawed "include" task that allows attackers to:
- Bypass file-type checks via improper CSV processing, enabling unauthenticated file reads of sensitive local files.
- Delete files without authentication by exploiting an unprotected unlink() call in the "remove" action, potentially disabling security measures like .htpasswd.
- Execute SQL injection through unsanitized parameters in database queries, allowing attackers to dump tables or extract admin credentials.
By chaining these exploits, attackers can:
- Steal admin session data or credentials via SQL injection.
- Authenticate as administrators, upload malicious extensions, or inject code into templates for RCE.
- Disrupt site stability by deleting critical files.
Mitigation and Patches
Tassos has released patched versions of the affected extensions and framework. Site owners should:
- Update immediately via Joomla’s Extension Manager.
- Disable affected extensions or the nrframework plugin if patching is delayed.
- Block ?option=com_ajax endpoints at the web server or WAF level.
- Monitor logs for suspicious AJAX calls and scan for signs of compromise (e.g., unexpected file changes).
Broader Implications
This disclosure underscores the ongoing risks in third-party Joomla extensions, particularly those with lax input validation and direct filesystem access. Framework developers are urged to harden AJAX endpoints and enforce stricter security practices, while Joomla users should audit extensions regularly and prioritize automated updates.
No CVEs have been assigned yet, but the vulnerabilities demand urgent attention due to their potential for full site compromise.
Source: https://cyberpress.org/joomla-novarain-tassos-framework-flaws/
EngageBox TPRM report: https://www.rankiteo.com/company/tassos.gr
Tassos TPRM report: https://www.rankiteo.com/company/tassos.gr
Google Structured Data TPRM report: https://www.rankiteo.com/company/the-structured-data-company
Convert Forms TPRM report: https://www.rankiteo.com/company/tassos.gr
"id": "tasthe1771259547",
"linkid": "tassos.gr, the-structured-data-company",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Web Development/CMS',
'name': 'Joomla websites using Convert Forms',
'type': 'Software/Extension'},
{'industry': 'Web Development/CMS',
'name': 'Joomla websites using EngageBox',
'type': 'Software/Extension'},
{'industry': 'Web Development/CMS',
'name': 'Joomla websites using Google Structured Data',
'type': 'Software/Extension'},
{'industry': 'Web Development/CMS',
'name': 'Joomla websites using Advanced Custom Fields',
'type': 'Software/Extension'},
{'industry': 'Web Development/CMS',
'name': 'Joomla websites using Smile Pack',
'type': 'Software/Extension'},
{'industry': 'Web Development/CMS',
'name': 'Joomla websites using Novarain/Tassos '
'Framework',
'type': 'Software/Framework'}],
'attack_vector': 'Weak AJAX handling in the Novarain/Tassos Framework, '
"specifically a flawed 'include' task and unprotected "
"'unlink()' call",
'data_breach': {'personally_identifiable_information': 'Possible if admin '
'credentials or '
'session data contain '
'PII',
'sensitivity_of_data': 'High (admin credentials, session '
'data, potentially PII)',
'type_of_data_compromised': ['Admin credentials',
'Session data',
'Sensitive local files']},
'description': 'Independent researcher p1r0x, in collaboration with SSD '
'Secure Disclosure, uncovered severe vulnerabilities in Joomla '
'extensions relying on the Novarain/Tassos Framework. The '
'flaws enable SQL injection, unauthenticated file reads, and '
'file deletions, which attackers can chain to achieve '
'administrator account takeover and remote code execution '
'(RCE) on unpatched systems.',
'impact': {'brand_reputation_impact': 'Potential damage due to site '
'compromise or data theft',
'data_compromised': 'Admin session data, credentials, sensitive '
'local files',
'identity_theft_risk': 'Possible if admin credentials or PII are '
'exposed',
'operational_impact': 'Potential site disruption due to deleted '
'critical files, RCE, or admin account '
'takeover',
'systems_affected': 'Joomla websites using vulnerable extensions '
'or the Novarain/Tassos Framework'},
'lessons_learned': 'Ongoing risks in third-party Joomla extensions, '
'particularly those with lax input validation and direct '
'filesystem access. Framework developers should harden '
'AJAX endpoints and enforce stricter security practices.',
'post_incident_analysis': {'corrective_actions': ['Apply patches released by '
'Tassos',
'Harden AJAX endpoints',
'Enforce stricter input '
'validation',
'Restrict direct filesystem '
'access'],
'root_causes': ['Weak AJAX handling in the '
'Novarain/Tassos Framework',
'Improper CSV processing allowing '
'unauthenticated file reads',
"Unprotected 'unlink()' call "
'enabling unauthenticated file '
'deletion',
'Unsanitized parameters in '
'database queries leading to SQL '
'injection']},
'recommendations': ['Audit Joomla extensions regularly',
'Prioritize automated updates',
'Harden AJAX endpoints in frameworks',
'Enforce stricter input validation and filesystem access '
'controls'],
'references': [{'source': 'SSD Secure Disclosure'},
{'source': 'Researcher p1r0x'}],
'response': {'containment_measures': ['Update affected extensions and '
'framework via Joomla’s Extension '
'Manager',
'Disable affected extensions or the '
'nrframework plugin if patching is '
'delayed',
'Block ?option=com_ajax endpoints at '
'the web server or WAF level'],
'enhanced_monitoring': 'Monitor logs for suspicious AJAX calls',
'remediation_measures': ['Apply patches released by Tassos',
'Monitor logs for suspicious AJAX calls',
'Scan for signs of compromise (e.g., '
'unexpected file changes)'],
'third_party_assistance': 'SSD Secure Disclosure'},
'title': 'Critical Joomla Framework Vulnerabilities Expose Sites to RCE and '
'Data Theft',
'type': ['SQL Injection',
'Unauthenticated File Read',
'Unauthenticated File Deletion',
'Remote Code Execution (RCE)',
'Privilege Escalation'],
'vulnerability_exploited': ['Improper CSV processing allowing unauthenticated '
'file reads',
"Unprotected 'unlink()' call enabling "
'unauthenticated file deletion',
'Unsanitized parameters in database queries '
'leading to SQL injection']}