Dear JoomShaper team,
We are very worried about the current security status of SP Page Builder 6 and the related template/framework stack.
We have trusted SP Page Builder for many years and use it across many customer websites. After the recent uploadCustomIcon security issue, we still had to review, clean, protect, and harden several hundred websites.
In our tests, the latest SP Page Builder version available to us does not fully solve the underlying issue. The access-control situation may have improved, but the upload and archive-handling logic still needs stronger hardening.
We already have OWASP-based WAF rules, proxy protection, and additional server-side security in place. However, these are only compensating controls. The component itself must safely handle uploads, ZIP extraction, file validation, and copying into public media directories.
Because we cannot wait for a final upstream fix while customer sites remain at risk, we created a temporary hardening package.
What we created
We created a proper Joomla installer package and a separate restore/deinstaller package for the SP Page Builder 6 uploadCustomIcon hardening.
The package adds additional protection for ZIP validation, unsafe file rejection, path traversal checks, executable file blocking, safer extraction, sanitized names, allow-listed copying, and public media-folder protection.
The goal is not to replace an official JoomShaper fix. This is an emergency hardening overlay to protect live customer websites now.
Compatibility
The package is intended for SP Page Builder 6.x installations.
Joomla compatibility information, installer details, restore/deinstaller details, and usage notes are documented in the repositories.
Main hardening package:
https://github.com/konzeptplus-gmbh/SPPB-Upload-Custom-Icon-Hardening
Restore / deinstaller package:
https://github.com/konzeptplus-gmbh/SPPB-Upload-Custom-Icon-Hardening-Restore
Request to JoomShaper
We ask JoomShaper to review this issue with urgency and provide a fully reviewed upstream fix, not only a compensating access-control change.
We also ask for a clear public security statement, cleanup guidance for already-compromised sites, and a changelog that clearly states which SP Page Builder and related framework/template versions are safe.
We are willing to share details from our hardening work so this can be solved properly in the official product.
Best regards,
Agon Partners Innovation AG former Konzeptplus GmbH