Blogs

If your Joomla website uses SP Page Builder, this post is worth five minutes of your time.

JoomShaper, the company behind SP Page Builder, sent an official security advisory confirming a vulnerability in the extension. The flaw allowed unauthenticated access to sensitive site functions. In plain terms, it meant someone could reach certain backend operations without ever logging in. JoomShaper closed this by adding strict checks at the core level: active login sessions, administrator authorization, and CSRF tokens. The fix shipped as version 6.6.2.

This is not a Joomla core issue. Joomla itself was never the problem here. The vulnerability sat inside a third party extension, SP Page Builder, which is built and maintained separately by JoomShaper. Joomla core remains as solid as it always has been.

What We Found

As part of our routine maintenance, we checked every Joomla website we manage for signs that this vulnerability had already been used. On one site, we found an unauthorized Super User account that we never created.

The account had a username and an email address ending in @secure.local. That domain does not belong to any real mail service. Seeing it attached to a Super User account is a clear sign the site had been accessed through this vulnerability before the fix was available.

We removed the account immediately, updated SP Page Builder to 6.6.2, and ran a full check across the rest of the site for anything else left behind. The site is now clean and secure.

Official Confirmation from JoomShaper

JoomShaper's changelog for version 6.6.2 lists the fix under "Fixed security for upload endpoints." Their direct advisory to developers went further, confirming that the patch closes unauthenticated access to sensitive site functions by adding session, authorization, and CSRF checks.

What You Should Check on Your Own Site

If you run a Joomla website with SP Page Builder, take these steps today.

Step 1: Check your version Log in to your Joomla admin panel, go to System, then Update, then Extensions. Check the installed version of SP Page Builder. Anything below 6.6.2 needs an update.

Step 2: Update Update SP Page Builder to version 6.6.2 through the Joomla updater, or download it directly from JoomShaper if needed.

Step 3: Check your user list Go to Users, then Manage. Look through the list for any Super Administrator account you do not recognize. Pay close attention to email addresses ending in @secure.local. That is the clearest sign of compromise.

Step 4: If you find something Do not stop at deleting the account. A site that was accessed this way may have other changes too. Check for unfamiliar files added recently, review your file structure for anything out of place, and consider rotating your admin passwords as a precaution.

Why This Matters Beyond One Update

We see this pattern often. A third party extension has a flaw, it gets fixed quietly in a changelog, and most site owners never realize it applied to them until something goes wrong. Updating extensions on time is not optional housekeeping. It is one of the most important habits for keeping a Joomla site secure.

If you are not sure whether your site is affected, or you want a second pair of eyes on it, reach out to us. We are happy to take a look.

JoomConsultant.com Joomla Specialists

Joomla 6.1 — named “Nyota” (the Swahili word for star) — launched on 14 April 2025, and it delivers six meaningful upgrades for site owners, developers, and content managers alike....

Joomla 3 officially reached end of life on 17 August 2023. All security patches stopped in February 2025. If your website still runs on Joomla 3, it is currently operating without any security support — making it a live target for hackers. As a result, this guide explains exactly what end of life means, what risks your business faces right now, and how to upgrade safely to a supported version....

Managing a Joomla website comes with a familiar routine. You log in, check for a new version, click through the update screen, and wait nervously until it finishes. That process works fine for one site. For five or ten sites, however, it becomes a serious time drain....

The Joomla White Screen of Death (WSOD) is one of the most frustrating issues website owners face. Instead of your website loading normally, you’re greeted with a completely blank page — no error message, no clues, nothing. But don’t worry — this issue is very common and completely fixable. ...

The Joomla CMS Critic Awards have once again highlighted the strength of Joomla in the content management system landscape. At the 14th Annual CMS Critic Awards, Joomla was recognized with two major titles: Best Free CMS Best Open Source CMS ...

Many Joomla optimization guides focus only on frontend speed. However, backend performance is just as important. A slow administrator panel reduces productivity, increases maintenance time, and signals deeper structural issues. That is why a structured Joomla backend optimization strategy is essential in 2026.

In 2026, a Joomla maintenance plan is no longer just about installing updates. With faster release cycles, rising performance expectations, and stricter security standards, structured maintenance has become essential for protecting website stability and long-term growth....

WordPress is automatically better for SEO than Joomla” or “Joomla is bad for SEO. These statements are repeated so often that many people accept them without stopping to ask why. Over time, popularity, aggressive plugin marketing, and blog posts written mainly by WordPress users have shaped this belief. But popularity does not automatically mean technical superiority....