Fix Joomla 3 Security Issues in One Click

Joomla 3 is end of life. The official project stopped releasing public updates at 3.10.12, but new vulnerabilities keep turning up. Through 2025 and into 2026, more have been disclosed via the eLTS programme, including a SQL injection in the database package and a Media Manager flaw that let editors upload executable PHP files.

Manually patching 59 files per site is tedious enough when you have five sites. When you have five hundred, forget it.

mySites.guru fixes every known Joomla 3 security issue with a single click.

We include all Joomla 3 security fixes in the service. No eLTS subscription needed.

How Does It Work?

The patch tool is in the Site Snapshot for each Joomla 3.10.12 site in your mySites.guru account. One toggle. That’s it.

Note: the toggle works on any Joomla 3.10.12 install. The tool ships every patch through to the latest eLTS backport (3.10.20-elts and beyond), so flipping it on brings the site right up to date in one go.

Under the hood, the mySites.guru connector tracks the MD5 hash of each file that needs patching. Flip the toggle on and it compares hashes against the expected patched versions, replacing anything that doesn’t match. Flip it off and the files revert to stock 3.10.12.

The tool only runs on Joomla 3.10.12, the last publicly released version of the Joomla 3 series. It ignores the commercial eLTS programme entirely.

Where Do You Find the Tool?

Two ways to get there:

1. Cmd+K and search for “Fix All Known Joomla 3”
2. Open your site’s Snapshot and scroll to the Joomla Configuration section

Both paths lead to a tool overview page listing every Joomla 3.10.12 site you manage, along with each site’s current patch status.

How Do You Patch Multiple Sites at Once?

Got dozens or hundreds of Joomla 3 sites? Click the grid icon next to the toggle to open the bulk view. It shows every Joomla 3.10.12 site with individual toggles. If you’re managing multiple Joomla sites from a single dashboard, this bulk view is where you’ll spend most of your time.

Direct link: manage.mysites.guru/en/tools/allsites/Joomla/joomlaconfiguration/joomla3eol

What vulnerabilities does it fix?

Individually, none of these will get your site hacked while you sleep. But stacked together across an unpatched site, they add up. The patch covers 59 files and addresses every known vulnerability disclosed since 3.10.12:

XSS vulnerabilities

• CVE-2024-21724 - XSS in media selection fields
• CVE-2024-21725 - XSS in mail address outputs
• CVE-2024-21726 - Inadequate content filtering within the filter code
• CVE-2024-21731 - XSS in StringHelper::truncate method
• CVE-2024-26278 - XSS in com_fields default field value
• CVE-2024-26279 - XSS in Wrapper extensions
• CVE-2024-40743 - XSS vectors in Outputfilter::strip* methods
• CVE-2024-40747 - XSS vectors in module chromes
• CVE-2024-40748 - XSS vector in the id attribute of menu lists
• CVE-2025-63083 - XSS vector in the pagebreak plugin

Other vulnerabilities

• CVE-2024-27184 - Inadequate validation of internal URLs
• CVE-2024-27185 - Cache poisoning in pagination
• CVE-2024-21723 - Open redirect in installation application
• CVE-2024-21722 - Insufficient session expiration in MFA management views
• CVE-2023-40626 - Exposure of environment variables
• CVE-2024-40749 - Read ACL violation in multiple core views
• CVE-2025-22213 - Malicious file uploads via Media Manager
• CVE-2025-25226 - SQL injection in the quoteNameStr method of the database package

eLTS bug-fix-for-bug-fix patches

• Fixes in 3.10.19-elts that repair broken code shipped in 3.10.18-elts
• Fixes in 3.10.18-elts that repair broken code shipped in 3.10.17-elts

How Do Patched Files Show Up in Audits?

After patching, your mySites.guru audit will flag the modified files as Core File Changes, because they are changes to the original 3.10.12 distribution. You can inspect every diff directly in the audit tool.

Which Files Does the Patch Modify?

The tool patches 59 files: a mix of PHP files (the actual security fixes) and XML form definitions (tighter input validation). You need both. Changing the XML alone isn’t enough.

Why Does Joomla 3 Still Matter?

Joomla 3 is still everywhere. W3Techs shows version 3 running on the majority of Joomla installations, and Joomla’s own usage statistics put 3.10.x at over 35% of reporting sites.

If you run a digital agency, you already know: migrating clients from Joomla 3 to 4 or 5 takes budget, developer time, and client sign-off. That doesn’t happen overnight, and the sites still need protecting in the meantime.

What Is the Joomla 3.10.999 Project?

The patches in mySites.guru come from the open-source Joomla 3.10.999 project. That repo has every Joomla 3.10 version from 3.10.12 onwards, plus diffs for all patches released under the commercial eLTS programme.

Same approach as the earlier Joomla 1.5.999 and Joomla 2.5.999 repos. It’ll be maintained for as long as Joomla 3 sites exist.

Stop patching files by hand

If you’re still running Joomla 3, stop tracking CVEs by hand. Add your sites to mySites.guru, flip the toggle, and get on with your day.

The broader picture of securing Joomla and WordPress sites is covered in the WordPress and Joomla security guide. For Joomla-specific agency workflows, see the Joomla agency handbook.

Start your free trial →