Hi JoomShaper team,
I need to say this very directly: the recent security response from JoomShaper has come too late, and it is not acceptable to present this as only one isolated Helix Ultimate issue.
In our hosting and Joomla maintenance environment, we have had to deal with real compromised websites connected to the JoomShaper ecosystem. This includes Helix3-related attack patterns, SP Page Builder upload and iconfont abuse patterns, template parameter manipulation, custom JavaScript defacement, and now Helix Ultimate security fixes.
This is not theoretical. We are seeing production Joomla websites damaged, defaced, injected, or exposed. We have had to clean files, quarantine malware, inspect template settings, check database content, deploy ModSecurity rules, block Helix3 com_ajax probes, block SP Page Builder iconfont PHP execution paths, and deal with customers who simply see that their Joomla website was hacked.
The customer does not care whether the issue came from Joomla core, Helix3, Helix Ultimate, SP Page Builder, a template, or a plugin. They only see “Joomla was hacked”. That seriously damages Joomla’s reputation as a CMS, even when Joomla core is not the real source of the problem.
That is deeply unfair to Joomla. It is also deeply unfair to designers, integrators, agencies, and hosting providers who built legitimate websites using commercial JoomShaper products they trusted.
This recent chain of issues is not small:
Helix3 plugin-related vulnerabilities and attack patterns;
Helix3 com_ajax abuse;
template settings and custom JavaScript manipulation;
defacement payloads injected through template parameters;
SP Page Builder upload endpoint abuse;
suspicious PHP files appearing under SP Page Builder iconfont/font paths;
Helix Ultimate AJAX authorization issues;
Helix Ultimate path validation problems;
Helix Ultimate file upload validation problems;
Helix Ultimate media, layout, blog, Mega Menu, gallery, and template handler validation issues;
multiple XSS issues;
information disclosure through upload and media responses.
This is a broad security problem across the JoomShaper stack, not just a normal routine update.
We are not asking for vague update notices. We need a proper security advisory and practical incident-response guidance.
At minimum, JoomShaper should clearly publish:
all affected Helix3 versions;
all affected Helix Ultimate versions;
all affected SP Page Builder versions;
whether Helix3 and Helix Ultimate can safely coexist on one Joomla installation;
which endpoints were vulnerable;
which attack paths were possible without authentication;
whether attackers could upload files, delete files, overwrite template settings, import/export template styles, or inject custom JavaScript;
exact indicators of compromise;
database tables and template parameters that should be checked;
filesystem paths that should be checked;
recommended WAF or ModSecurity mitigations;
a clear timeline of vulnerability discovery, patching, public disclosure, and user notification.
JCE also had a serious security issue recently. But JCE responded with a new fixed version and a practical patch path for older websites. That is the kind of fast, practical response site owners need during an active exploitation wave.
JoomShaper needs to match that level of responsibility.
A short “update now” email after real websites have already been compromised is not enough.
Also, please stop presenting the JoomShaper developer license as “very affordable” in this context. Compared with other Joomla ecosystem products, and especially after the cleanup cost caused by these incidents, the license price is not what many small agencies and designers would call very affordable.
The real cost is not just the license.
The real cost is emergency cleanup, lost customer trust, unpaid support hours, WAF work, malware scanning, quarantine, restoring broken websites, checking database injections, checking template settings, and explaining to clients why their website was compromised even though they paid for commercial Joomla tools.
This situation creates serious financial and reputational damage for people who are not responsible for the vulnerabilities.
Please treat this as a serious ecosystem-level incident.
JoomShaper needs to provide transparency, detailed mitigation guidance, and a much faster security response for Helix3, Helix Ultimate, and SP Page Builder.