Following our recent security advisory for Helix3, we are sharing official guidance for all sites built on Helix3-based templates.
WHAT IS AFFECTED
The vulnerability exists in the Helix3 framework plugins, not in the template files themselves.
Affected (update required):
- System – Helix3 Framework (
plg_system_helix3)
- Helix3 – Ajax (
plg_ajax_helix3)
All Joomla sites using Helix3-based templates must update these two plugins.
Not affected: Sites that use Helix Ultimate only and do not have the Helix3 plugins installed. This advisory applies to Helix3 only.
REQUIRED ACTION: UPDATE TO THE LATEST VERSION
Please update both Helix3 plugins as soon as possible.
Latest version: 3.1.2
Version 3.1.2 includes the security fix introduced in 3.1.1, along with additional improvements.
In Joomla Administrator, go to:
System → Update → Extensions
and install any available Helix3 updates.
If no update appears, download the latest package from the official download page and install it via:
System → Install → Extensions
https://www.joomshaper.com/downloads/template/helix3
Installing the package from this page updates both the System – Helix3 Framework and Helix3 – Ajax plugins.
IF YOUR SITE MAY ALREADY BE COMPROMISED
If you suspect unauthorized access or unexpected changes:
- Restore your website from a clean backup created before the incident, if available.
- Immediately update both Helix3 plugins to v3.1.2 after the restoration.
- Contact your hosting provider if you do not have your own backup. Many hosting providers maintain automatic daily or weekly backups that may allow your site to be restored to a clean state.
If no backup is available, follow the recovery steps below. Please note that some template settings may need to be restored manually.
RECOVERY STEPS IF YOU CANNOT RESTORE FROM A BACKUP
Step 1 — Remove Malicious Code
Go to:
System → Site Templates → [Your Template] → Template Options
Open the Custom Code section (or the equivalent section provided by your template).
Carefully review the following fields for any unfamiliar or suspicious code:
- Custom JavaScript
- Custom CSS
- Before
</head>
- Before
</body>
Remove any code that you did not intentionally add. This may eliminate injected scripts or malicious content if they were inserted through the template settings.
Also check the /images directory. In general, it should not contain any .php or .json files. If you find any that you did not intentionally upload, delete them immediately.
Step 2 — Update the Helix3 Plugins
Update both Helix3 plugins to v3.1.2 using either:
- Joomla Administrator → System → Update → Extensions
- Or install the latest package from the official download page:
https://www.joomshaper.com/downloads/template/helix3
Step 3 — Restore Template Settings
If your site was compromised, some Helix3 template settings may have been removed or overwritten, including:
- Logo and favicon
- Custom CSS
- Custom JavaScript
- Colors
- Typography
- Layout options
- Other template configuration settings
Helix3 does not maintain an automatic version history of template settings. If these settings were lost and you do not have a database backup or an exported Helix configuration file, they must be recreated manually.
Possible Recovery Options
Database or hosting backup
Restore your website from a backup created before the incident.
Helix settings export
If you previously exported your Helix3 settings using the Import/Export feature, import the JSON file to restore your template configuration.
Media files
Your logo, favicon, and other uploaded assets may still exist in the /images directory even if their references were removed from the template settings. Check Joomla Media Manager and reassign them in the template options.
RECOMMENDATIONS
To reduce the impact of future incidents, we strongly recommend:
- Always keep Helix3 updated to the latest version.
- Export your Helix3 template settings after major configuration changes.
- Maintain regular database and full-site backups.
- Test your backup restoration process periodically to ensure your backups are usable.
- Consider installing a Joomla-compatible Web Application Firewall (WAF). Both free and commercial solutions are available for Joomla 3, 4, 5, and 6.