A high-severity SQL injection vulnerability has been identified in versions 3.2 through to 3.4.4 of Joomla!. The popular Content Management System (CMS), second only to WordPress with a staggering 6.6% CMS marketshare (as of October 23, 2015, based on a W3Techs’ trend reports runs on an estimated 2.8 million sites (according to a survey carried out by BuiltWith.

By leveraging the SQL injection vulnerability, an attacker could gain full administrative control of any vulnerable Joomla! site. The vulnerability resides in the Joomla! core, and does not require any extensions to be installed on the site. To make matters worse, the vulnerability goes all the way back to Joomla! version 3.2 (released November 2013) which leaves a large majority of sites running Joomla! exposed.

Acunetix WVS and Acunetix OVS have been updated to detect this vulnerability. Acunetix identifies Joomla! installations, and will launch version specific Joomla! security checks to ensure your website is secure. Please refer to this guide on updating the latest patches in Acunetix WVS. Acunetix OVS updates are rolled out automatically and do not require any user action.

Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.