mySites.guru

AI keeps finding Joomla extension vulnerabilities

Today JCE Free and JCE Pro shipped 2.9.99.4, patching two authenticated vulnerabilities in the most widely deployed Joomla editor. Joomla itself shipped 5.4.6 and 6.1.1 on the same day, closing ten more security issues including an MFA bypass and a privilege escalation in com_users. That is twelve Joomla CVEs landing in your inbox before lunch.

LLMs have changed the economics. Point one at an extension and it'll read the whole codebase, suggest the classes of input that might trigger pathological behaviour, and write the fuzzing harness to confirm. A researcher who would have spent a week manually auditing one parser can now sweep a hundred packages in an afternoon. The extensions aren't getting worse. Looking for bugs in them just got a lot cheaper. Expect more advisories, more often, on both Joomla and WordPress.

The practical defence is uninteresting and works: keep extensions current, audit which user groups have backend or frontend access, and turn on auto-updates so the next 24-hour patch turnaround lands while you sleep. The rest of this email is what's been published in May to help with that.

All guides are free to read on the blog

Today

JCE 2.9.99.4 patches two authenticated vulnerabilities in the most popular Joomla editor

JCE Free and JCE Pro 2.9.99.4 patch an Editor Profile assignment bypass and a directory traversal in filesystem search. Exploitation needs a logged-in Joomla session, which on a site with public registration is anyone who can fill out the signup form. The developer turned the fix around in 24 hours. Update every site running JCE today and have a look at any Editor Profile with broad filesystem access while you're at it.

Read the full breakdown

Also new in May 2026

New

Joomla 5.4.6 and 6.1.1 ten security patches

Joomla 5.4.6 and 6.1.1 Patch TEN Security Issues

New

mySites.guru compatible with WordPress 7

mySites.guru is fully compatible with WordPress 7.0

New

WP_AI_SUPPORT: Disable WordPress 7 AI Across Every Site

New

Avada Builder Patches Two Security Issues in 3.15.3

Feature

Let mySites.guru push the next 24-hour patch while you sleep

Enable Joomla extension auto-updates in mySites.guru

Thousands of opted-in Joomla sites picked up JCE 2.9.99.4 overnight without anyone logging in. If yours did not, the new guide walks through enabling auto-updates for any Joomla extension, with backup and rollback steps that keep client sites safe if an update breaks. Stage roll-outs against a test site first if you want, but the cost of leaving extension auto-updates off is the next email like this one.

See how to enable it

Need help with your site?

Phil Taylor – Fixing websites since 2004

Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues

Get expert help today

If I can't add value, you don't pay

mySites.guru

Website management since 2012

Unsubscribe