A Reflection On Security In The Age Of AI
D
David Forés
Over the past few days, we have seen several Joomla extensions affected by critical zero-day vulnerabilities, some of which could allow attackers to gain complete control of a website.
This has led me to reflect on the current state of security within the Joomla ecosystem.
One of the greatest strengths of open-source software can also be one of its weaknesses: anyone can inspect the source code. This transparency helps developers, researchers, and the community improve the software, but it also allows malicious actors to study the code, identify vulnerabilities, and exploit them.
Cyberattacks have always existed, and for many years there has been a certain balance between offensive techniques and defensive measures. However, the emergence of AI—and particularly models and agents specialized in code analysis and security auditing—has significantly changed that balance.
Security flaws that may have remained hidden for years, and could otherwise have gone unnoticed for much longer, can now potentially be identified by AI-assisted tools within minutes. The same technology that can help developers secure their software can also be used by people with malicious intentions.
For this reason, I believe this may be the right time to consider temporarily prioritizing security over the development of new features. It could be extremely valuable to dedicate additional resources to comprehensive security audits, supported by the same advanced AI-assisted tools that are increasingly being used to discover vulnerabilities.
I believe particular attention should be given to Helix Ultimate and SP Page Builder, as they are central products used across a very large number of websites. However, the same approach should ideally extend to the rest of JoomShaper’s extensions and templates as well.
This is not related to any specific incident or known vulnerability in JoomShaper products. It is simply a reflection that I wanted to share in the hope that it may contribute, even in a small way, to making the ecosystem stronger and more secure.
Once again, thank you to everyone who works to improve Joomla and its ecosystem, whether through development, testing, security research, documentation, support, or community participation.
2 Answers
Order by
Oldest
Paul Frankowski
Accepted AnswerHi David,
This has led me to reflect on the current state of security within the Joomla ecosystem.
- Exactly the same happens in WordPress, but on much bigger scale. I saw reports and that list is so long that after 5 page, I stopped scrolling.
- Becuase it's opensource every kid can take code and check using AI tool with request find me a "hole".
Solution?
Back to the basics - HTML websites (of course, joke).
In general, it's the price that we all have to pay being in the AI Matrix.
D
David Forés
Accepted AnswerObviously, this is happening at all levels. We’ve recently seen critical vulnerabilities in WordPress, cPanel, and others, but here we’re focusing on Joomla, which is what interests us.
And yes, one possible solution is to go back to static HTML xDD
But anyway, my point with that was simply to highlight that the rules of the game have changed, and given what we’ve been seeing lately, we need to strengthen all security measures even more than before. This includes establishing new protocols or code reviews, conducting periodic audits, or anything else that helps keep the code as secure as possible.
Once again, thank you for the great work you’re doing.