Joomla Novarain/Tassos Framework SQLi Vulnerabilities Enables

Critical security flaws in the Novarain/Tassos Framework leave websites open to unauthenticated file read, file deletion, and SQL injection attacks. On unpatched systems, these vulnerabilities could escalate to remote code execution and full administrator takeover. The issues impact multiple popular Tassos extensions, requiring urgent patching through the vendor’s updated releases.

A source‑code review of the shared Novarain/Tassos Framework plugin (plg_system_nrframework) uncovered three core primitives exposed through an AJAX handler that processes the task=include action without proper hardening.

By abusing this entry point, an attacker can invoke PHP classes under the Joomla site root that implement an onAjax method, effectively turning internal helper classes into remotely reachable gadgets.

Within these gadgets, one class mishandles CSV loading, which can be coerced into reading arbitrary files accessible to the webserver user.

While another class exposes a remove action that deletes attacker‑supplied paths without additional validation.

A third class, used for dynamic field population, passes attacker‑controlled parameters into database queries, creating an SQL injection primitive capable of arbitrary table and column reads under the Joomla database account.

Chaining these capabilities allows an external attacker to steal administrator session data from the database, pivot into the backend, and then deploy a malicious extension or modify templates to gain persistent RCE.

Affected components and impact

The vulnerable framework is bundled into several widely deployed Joomla extensions, including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack, meaning many sites inherit the risk indirectly through these add‑ons.

Impacted version ranges include Novarain/Tassos Framework (plg_system_nrframework) and specific releases of each extension, with exploitation possible as long as the system plugin remains enabled on an internet‑facing site.

Because the attack vector relies solely on unauthenticated AJAX requests, common hardening steps such as restricting access to the admin role and adding additional passwords are necessary.

Adding plugin‑level secrets does not prevent compromise once an attacker can read or delete files and query the database.

In realistic attack chains, adversaries can exploit SQL injection to obtain super admin sessions, log into the backend, and then weaponize file-write paths to execute arbitrary PHP code, leading to a full site takeover.

The vendor has responded by shipping fixed builds of the Tassos Framework and affected extensions, available through the official downloads section and standard Joomla update mechanisms.

The vulnerabilities were discovered by independent security researcher p1r0x in collaboration with SSD Secure Disclosure.

Administrators should immediately update all Tassos components or temporarily turn off the plg_system_nrframework plugin and related extensions on exposed sites until patching is complete.

As a defense‑in‑depth step, operators should restrict or filter com_ajax traffic at the web server or WAF, and review logs for suspicious task=include requests, unusual CSV‑related AJAX activity, or unexplained file deletions that may indicate attempted exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.