Security Advisory - Published 2026-06-20 - Joomla Extensions
Joomla extension CVE batch: remove abandoned components and review database changes
This batch is mostly older Joomla extensions that appeared in current CVE monitoring because public sites still run them. The risk is not theoretical for legacy Joomla installs: old components remain reachable, old tables keep sensitive records, and stale builder, event, and upload handlers can leave executable files behind.
Affected extensions
| CVE | Extension | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-48939 | Joomla iCagenda | vendor advisory | event attachments, uploads, and executable files | 10.0 |
| CVE-2026-48908 | Joomla SP Page Builder | vendor advisory | uploads, executable files, and public builder routes | 10.0 |
| CVE-2017-20262 | Joomla Ajax Quiz | 1.8 | quiz records, database errors, and access logs | 8.8 |
| CVE-2017-20261 | Joomla Bargain Product VM3 | 1.0 | VirtueMart product records, database errors, and access logs | 8.8 |
| CVE-2017-20267 | Joomla Calendar Planner | 1.0.1 | calendar records, database errors, and access logs | 8.8 |
| CVE-2017-20273 | Joomla Event Registration Pro Calendar | 4.1.3 | event records, database errors, and access logs | 8.8 |
| CVE-2017-20281 | Joomla Extra Search | 2.2.8 | search records, database errors, and access logs | 8.8 |
| CVE-2017-20263 | Joomla FocalPoint Pro/Free | 1.2.3 | content records, database errors, and access logs | 8.8 |
| CVE-2019-25752 | Joomla J-BusinessDirectory | 4.9.7 | directory records, database errors, and access logs | 8.8 |
| CVE-2019-25751 | Joomla J-ClassifiedsManager | 3.0.5 | classified records, database errors, and access logs | 8.8 |
| CVE-2019-25750 | Joomla J-MultipleHotelReservation | 6.0.7 | reservation records, database errors, and access logs | 8.8 |
| CVE-2017-20255 | Joomla JB Visa | 1.0 | booking records, database errors, and access logs | 8.8 |
| CVE-2017-20282 | Joomla jCart for OpenCart | 2.0 | cart records, database errors, and access logs | 8.8 |
| CVE-2019-25748 | Joomla JHotelReservation | 6.0.7 | reservation records, database errors, and access logs | 8.8 |
| CVE-2017-20277 | Joomla JoomRecipe | 1.0.4 | recipe records, database errors, and access logs | 8.8 |
| CVE-2017-20278 | Joomla JoomRecipe | 1.0.3 | recipe records, database errors, and access logs | 8.8 |
| CVE-2017-20269 | Joomla KissGallery | 1.0.0 | gallery records, database errors, and access logs | 8.8 |
| CVE-2017-20274 | Joomla LMS King Professional | 3.2.4.0 | course records, database errors, and access logs | 8.8 |
| CVE-2017-20253 | Joomla My Projects | 2.0 | project records, database errors, and user activity | 8.8 |
| CVE-2017-20280 | Joomla Myportfolio | 3.0.2 | portfolio records, database errors, and access logs | 8.8 |
| CVE-2017-20252 | Joomla NextGen Editor | 2.1.0 | database errors, extension settings, and user activity | 8.8 |
| CVE-2017-20259 | Joomla OSDownloads | 1.7.4 | download records, database errors, and access logs | 8.8 |
| CVE-2017-20279 | Joomla Payage | 2.05 | payment records, database errors, and access logs | 8.8 |
| CVE-2017-20275 | Joomla PHP-Bridge | 1.2.3 | bridge records, database errors, and access logs | 8.8 |
| CVE-2017-20260 | Joomla Price Alert | 3.0.2 | price alert records, database errors, and access logs | 8.8 |
| CVE-2017-20257 | Joomla Quiz Deluxe | 3.7.4 | quiz records, database errors, and access logs | 8.8 |
| CVE-2017-20258 | Joomla RPC Responsive Portfolio | 1.6.1 | portfolio records, database errors, and access logs | 8.8 |
| CVE-2017-20276 | Joomla SIMGenealogy | 2.1.5 | genealogy records, database errors, and access logs | 8.8 |
| CVE-2017-20266 | Joomla SP Movie Database | 1.3 | movie records, database errors, and access logs | 8.8 |
| CVE-2017-20271 | Joomla StreetGuessr Game | 1.1.8 | game records, database errors, and access logs | 8.8 |
| CVE-2017-20256 | Joomla Survey Force Deluxe | 3.2.4 | survey records, database errors, and access logs | 8.8 |
| CVE-2017-20270 | Joomla Twitch Tv | 1.1 | video records, database errors, and access logs | 8.8 |
| CVE-2017-20272 | Joomla Ultimate Property Listing | 1.0.2 | property records, database errors, and access logs | 8.8 |
| CVE-2017-20254 | Joomla User Bench | 1.0 | user records, database errors, and access logs | 8.8 |
| CVE-2019-25756 | Joomla vAccount | 2.0.2 | account records, database errors, and access logs | 8.8 |
| CVE-2019-25758 | Joomla vBizz | 1.0.7 | uploads, executable files, and authenticated user activity | 8.8 |
| CVE-2019-25753 | Joomla VMap | 1.9.6 | map records, database errors, and access logs | 8.8 |
| CVE-2019-25754 | Joomla vRestaurant | 1.9.4 | restaurant records, database errors, and access logs | 8.8 |
| CVE-2019-25755 | Joomla vReview | 1.9.11 | review records, database errors, and access logs | 8.8 |
| CVE-2017-20268 | Joomla Zap Calendar Lite | 4.3.4 | calendar records, database errors, and access logs | 8.8 |
| CVE-2023-54357 | Joomla com_booking | 2.4.9 | booking users, account enumeration signs, and access logs | 8.7 |
| CVE-2019-25762 | Joomla JoomProject | 1.1.3.2 | project data, user exports, and access logs | 8.7 |
| CVE-2017-20265 | Joomla Flip Wall | 8.0 | wall records, database errors, and authenticated user activity | 7.1 |
| CVE-2019-25749 | Joomla J-CruisePortal | 6.0.4 | cruise records, database errors, and authenticated user activity | 7.1 |
| CVE-2019-25761 | Joomla JoomCRM | 1.1.1 | CRM records, database errors, and authenticated user activity | 7.1 |
| CVE-2017-20264 | Joomla Sponsor Wall | 8.0 | sponsor records, database errors, and authenticated user activity | 7.1 |
| CVE-2019-25759 | Joomla vBizz | 1.0.7 | business records, database errors, and authenticated user activity | 7.1 |
| CVE-2019-25757 | Joomla vWishlist | 1.0.1 | wishlist records, database errors, and authenticated user activity | 7.1 |
| CVE-2019-25760 | Joomla Easy Shop | 1.2.3 | file access logs, configuration reads, and old public routes | 6.9 |
Owner self-check
php administrator/cli/joomla.php extension:list 2>/dev/null
find components administrator/components plugins modules templates -maxdepth 3 -type d | egrep -i 'sp-page-builder|sppagebuilder|icagenda|joomproject|booking|joomrecipe|vrestaurant|vreview|vbizz|vmap|osdownloads|joomcrm|easyshop'
find . -type f -mtime -14 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$'
grep -Rni 'error\\|sql\\|warning\\|upload' administrator/logs logs 2>/dev/nullWhat to review
- Extensions that are installed but no longer maintained, including disabled copies still present on disk.
- Database errors, unexpected record changes, account enumeration, and exports around the alert window.
- Upload folders, media paths, and executable files created by old business, booking, recipe, CRM, map, or shop components.
- New super users, changed administrator emails, changed templates, and modified configuration files.
Safe fix path
- Patch the extension if a maintained release exists. If the extension is abandoned, uninstall it and remove leftover files.
- Preserve access logs, Joomla logs, database backups, and recent file timestamps before cleanup.
- Rotate database and administrator credentials if the component was reachable from the public internet.
- Review old routes after uninstalling; stale rewrite rules and cached pages can keep abandoned paths visible.
Repair help
Use Ping7 CVE Repair when a Joomla site still has old extensions, unknown database changes, suspicious uploads, new admins, or logs that are too noisy to review by hand.