Security Issues With 6.6.2. - Question | JoomShaper

Security Issues With 6.6.2.

Dr. Christian Thomas Jirik

Dr. Christian Thomas Jirik

SP Page Builder 6 days ago

What the hell is up with your latest release 6.6.2??

2026-07-08 09:36:12 sppagebuilder-uploadicon 2a00:1128:0:157::6 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 06:49:32 sppagebuilder-uploadicon 15.157.227.105 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 06:01:53 helix3-comajax 144.225.204.250 /index.php?option=com_ajax&plugin=helix3&format=json blocked 2026-07-08 04:57:43 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:42 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:40 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:37 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:36 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:34 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:33 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:30 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:28 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:26 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:25 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:57:23 sppagebuilder-uploadicon 172.104.42.77 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:25:31 upload-executable 23.26.49.110 /index.php?option=com_jce blocked 2026-07-08 04:25:26 upload-executable 23.26.49.110 /index.php?option=com_jce blocked 2026-07-08 04:25:22 upload-executable 23.26.49.110 /index.php?option=com_jce blocked 2026-07-08 04:25:10 sppagebuilder-uploadicon 2a03:4000:0:3ee:6832:ecff:fed9:6bb4 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked 2026-07-08 04:01:43 sppagebuilder-uploadicon 103.164.183.122 /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon blocked

0
3 Answers
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 6 days ago #228027

Hello,

We understand your concern. However, the log entries you're seeing do not indicate that SP Page Builder 6.6.2 is causing these attacks.

The requests shown in your logs are automated attempts from bots scanning the internet for known endpoints, such as:

  • com_sppagebuilder&task=asset.uploadCustomIcon
  • com_ajax&plugin=helix3
  • com_jce

These scans are common and occur regardless of whether a site is vulnerable or fully up to date. The important point is that your security solution is reporting them as blocked, which means the attacks were prevented successfully.

Please make sure you have installed the latest versions of both SP Page Builder and Helix3, as they contain the necessary security fixes for the recently disclosed vulnerabilities.

Please also note that the com_jce requests are not related to JoomShaper. They are targeting the JCE extension and are unrelated to SP Page Builder or Helix3.

Since the vulnerabilities were publicly disclosed, attackers have been actively scanning the internet for websites that have not yet been updated. As a result, it is expected to continue seeing automated attack attempts against these endpoints, even after your site has been patched. Updating your extensions protects your site from the known vulnerabilities, but it does not prevent bots from attempting to access these URLs.

As long as the requests continue to be blocked and you are running the latest versions of SP Page Builder and Helix3, there is no indication from these logs that your site has been compromised.

If you notice any successful exploitation, unexpected file changes, or suspicious behavior beyond these blocked requests, please let us know and we'll be happy to investigate further.

0
PH
Pascal - HTProtect.org
Accepted Answer
6 days ago #228030

The real question is "what's wrong with these bots" :)

Good news: nothing here is a 6.6.2 security issue. That log is your firewall doing its job - every single line ends in "blocked", so none of it got through. What you're looking at is the normal post-disclosure wave: automated scanners hammering the endpoints that were recently patched - SP Page Builder's uploadCustomIcon, the Helix3 com_ajax probe, plus a JCE upload attempt in there too.

And since you're already on the patched 6.6.2, that endpoint is fixed anyway - so you've got two layers stopping them: the patch and the firewall. The bots will keep knocking for a while after any public disclosure; it's completely harmless as long as it says "blocked". You can safely ignore the noise, or rate-limit/geo-block the loudest IPs if the log volume annoys you.

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 6 days ago #228036

@Christian

Bots are blind; they do not know if you have a new version or not. They are just trying ... and yes, you will see the same items for the next weeks or months in logs.

Extra advices:

  1. Ask your hosting support to scan your site and improve firewall settings
  2. Install Firewall component as 2nd security guard (last defence).
  3. Make regular backups.
  4. If you have more than one website on the same server, ask support if you have separation.

That's all. Now you can mark topic as solved.

0