WOW, ONE WEEK LATER!

“Thanks for continuing to trust us.”

No, you've lost that trust. Once again, your help is way too late! The honest answer would have been to delete everything, restore the backup, and buy the update. Don't just slap a file together a week later! Sticking with SP PageBuilder is a mistake!

Yes, I have to agree with that. I’m now dealing with a huge mess across many of my clients’ websites. And as is often the case with clients, they didn’t necessarily back up their data after their last updates. I can’t even bill them for my work while I’m sitting here trying to get everything back on track. This really shouldn’t happen—after all, they’re putting a lot of money into this, not to mention their trust. My clients trust me, too, and now I have to explain to them why the sites aren’t working anymore. That’s it, then. Thanks a lot for that.

Thanks for all. I have an old j3 and sppb 3.8.10 (I know) is this normal that asset.php does not exist ?

Figured Id take a break from fixing my client's hacked websites and chime in on the matter.

Ever considered offering credits to your loyal subscribers? Constantly apologizing over and over is more insulting than it is comforting.

@Chris, not really! This is free path for webmasters without active SPPB subsctiption.

And as you may know, not all developers do that.

It was general info that you are using old versions on your own risk. We don't update and improve extensions for J3 anymore.

What do you mean saying "credits" ? as I know every software had or will have security holes. Even big ones from Top 100, Windows or Android included!. In this comparison, we are a small "player". And the Joomla market share is only getting smaller every year, not growing :/ Such security problems, therefore, are painful for both sides. Believe me, I'd rather answer the question “How do I change the button color?” 100 times than read about a website being hacked—whether it's because of us or for some other reason.

@Mike, We talk about that face-to-face on Joomla Day 2026, if you will be there.

Hello Toufiq, please is this applied on SP Page Builder 3 on Joomla 3 site?

SPPB 3.8.10 don't have upload custom Icon feature, so found SPPB security problem don't effect 3.x version. Full answer is already here: https://www.joomshaper.com/forum/question/45163  and also here in the middle: https://www.joomshaper.com/forum/question/45152

@Ahmad, @Martin, @Ant, @Indi

@Mike

For example, serious vulnerabilities are regularly discovered in the MS Office suite. The last 5 years (the period from 2021 to 2026) have been a time when Microsoft had to deal with both so-called zero-days (vulnerabilities actively exploited by hackers before a patch is released) and a wave of clever bypasses of existing security measures. But somehow I don't recall Microsoft giving users anything in return to customers for their losses. Except, at most, price hikes for subsequent versions.

Check main topic (https://www.joomshaper.com/forum/question/45152) where we all (as community) add many useful tips every single day to help each other. If your infection returns it means that there is hidden a file on your server that allows that. Read what @Yves Lacroix wrote today, at the bottom (from shared link).

Hello,

after the recent security announcement regarding SP Page Builder v6.6.2 and the affected file:

components/com_sppagebuilder/controllers/asset.php

I checked several of our Joomla websites that use SP Page Builder.

The only installation where I found this file was the one running SP Page Builder v3.7.14. On that website, the file existed at the mentioned path, so I replaced it with the patched version from the provided GitHub gist.

On the other SP Page Builder installations I checked, using different 3.x versions, this file does not exist at all.

My questions are:

1. Is this security issue only related to SP Page Builder v6.6.2 and later, or can it also affect older SP Page Builder 3.x versions?
2. If the file components/com_sppagebuilder/controllers/asset.php does not exist on a website, does that mean the website is not affected by this specific vulnerability?
3. Should we manually add this patched file to older installations where the file does not exist, or should the patch only be applied if the file is already present?
4. Since I found the file only on the installation running v3.7.14, does that version require the patch?
5. For websites running older SP Page Builder 3.x versions, is updating to the latest available 3.x version enough, or is there a separate security fix required?

We manage multiple Joomla websites using SP Page Builder and want to make sure all of them are properly secured.

Thank you.

@Point.

Let's be serious, using version 3.7 from Sep 2021, 5 years later is not the best idea. You should have at least SPPB v3.8.10 (may 2023) and firewall installed (anyway). Why you couldn't update it sooner?

1. Yes. The fix we shared was for SPPB 5.x and SPPB 6.6.x only. In 6.6.2+ is already fixed.
2. No
3. Look (1)
4. SPPB Pro 3.8.10 can still be downloaded from our website, please use it to update site(s).
5. Scroll up, what I wrote yesterday here about SPPB 3.8.10. In general, yes.

If you have any other questions, feel free to ask.

Ask your hosting support: Does your server have account (website) isolation in place so that an infected site does not act as a gateway to another site on the same account?

IMPORTANT, READ BEFORE POSTING // IMPORTANTE: LÉELO ANTES DE PUBLICAR // WICHTIG – BITTE VOR DEM POSTEN LESEN // IMPORTANT, À LIRE AVANT DE PUBLIER

The above fix file is only for SP Page Builder 5.x-6.6.1, if you still have SPPB 4.x or SPPB 3.x is not for you!

If you updated to SPPB 6.6.2+ you have it already.

Hi guys,

I installed 6.6.2 on a new site with Joomla 6.1.1 and template selixo (just template installation over fresh Joomla!) and when I want to use the articles addon, there is no way to select the category. Can you please check on your side and advise how to fix it? I tried installing 6.6.1 over it, but it did not help.

@Petra, this topic is/was only about security !!!

Yes, we know about that issue. It will be fixed in next update.

Temporary it can be fixed by using file from older SPPB version. Here is short guide, next time NEW TOPIC !!!

Download any new quickstart (Kind or Nexio or older) and take this file: components\com_sppagebuilder\addons\articles\admin.php

OR

use older SPPB 6.6.0 and take this file from it: site\addons\articles\admin.php

Then using FTP upload & override that file: components\com_sppagebuilder\addons\articles\admin.php

that's all! you're welcome.