Critical Bug: Helix Ultimate Update Notifications Failing (Site Compromised)
BP
Bruce Paine
Hi JoomShaper Team,
I am writing to express my frustration regarding a serious issue with the Helix Ultimate update mechanism that recently led to our website being compromised by malware.
Our Joomla administrator panel explicitly stated that Helix Ultimate was "Up to Date" at version 2.2.4. However, a malicious web shell backdoor was injected directly into the template's '/offcanvas/3-CenterAlign/' directory. Upon closer inspection, we realized that version 2.2.6 has been available, but your update server failed to communicate this to our Joomla system, leaving us entirely exposed to a known vulnerability. Furthermore, the template details still hardcode a creation date of 2018, adding to the confusion for administrators trying to verify file integrity.
When an update server fails or responds incorrectly, it should log an error, not falsely report to Joomla that the extension is secure and current.
Can you please confirm:
-
Why the update server failed to notify our Joomla 5 site about the 2.2.6 security patches?
-
What steps JoomShaper is taking to ensure update definitions reliably reach Joomla sites moving forward so other users don't suffer similar breaches?
Account Domain:www.comfoot.co.nz Current Version Installed Manually: 2.2.6
Regards, Bruce
5 Answers
Order by
Oldest
BP
Bruce Paine
Accepted AnswerHi Paul,
Thank you for the clarification.
To clarify from our side: the site was indeed breached via the SP Page Builder exploit you referenced, which explains the unauthorized Super User account we found and purged. The hackers then used that access to drop the standalone backdoor into the Helix template subdirectory.
My concern wasn't that Helix had a specific vulnerability, but rather that Joomla confidently reported version 2.2.4 as "Up to Date" when 2.2.6 was available. If the update mechanism had reliably flagged that an override update was pending, our routine audits would have caught the version drift much sooner. Leaving a hardcoded 2018 creation date in a modern package manifest only compounds that confusion during a post-breach audit.
We have now manually forced the update to 2.2.6, fully cleared the environment, and will be deploying our upcoming EasyStore launch on a completely wiped, sterile directory with a fresh database to ensure total compliance.
No further troubleshooting is required on this ticket. I will mark this as resolved.
Regards, Bruce
Paul Frankowski
Accepted AnswerHi Bruce,
Please read Helix Ultimate changelog, there wasn't any security update for Helix itself. After you installed a new version manually scan your site deeply looking for malware or backdoor files.
When it comes to security, the threats have come from completely different sources over the last two weeks, more >> https://www.joomshaper.com/forum/question/45152
Paul Frankowski
Accepted Answer-
I am not sure, becuase all users have the same update URL. For example, On all my sites (and I have them a lot) I've seen that Helix plugin asked for action (update).
-
I don't fully understand your question. We fixed security hole in SPPB on Monday morning just after in the weekend Zero Day vulnerability was found. We just don't make excuses. But in general it's still a webmaster duty to check if all extensions are regullary updated and CMS is secured. Yes, you have to login to the website every week or 2 weeks and check one by one, sometimes compare with changelog. So far Joomla don't have extensions auto-update system as Wordpress has, but there are oneline services (mysites.guru) that allows that, and much more.
Because of AI, the number of security incidents will only rise, ranging from small websites to bank and government portals. You cannot just build a website and forget about it. Even on a remote island NZ, your website isn't safe from cybercrime. Bruce, the world is like Gotham City at night.
Paul Frankowski
Accepted AnswerIf hacker can upload a single .php file later - can do almost anything. They often hide malware file(s) in folders where people don't look, deep into structure of subfolders. And becuase helix is popular template, they choose that.
About the date it's the initial release date, not last update date. But I asked our developer to change at least year in next update.
BP
Bruce Paine
Accepted AnswerThank you for doing that.
It is a good thing that the hosting company I am with has excellent malware scanning and reporting. They are swift to communicate with their customers, so issues can be dealt with in a timely manner.
I will be more regularly and proactively monitoring our sites for issues in the future.