Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Joomla Patches Critical SQL Injection and File Read Vulnerabilities CVE-2023-23752
CyberSecurity News

Joomla Patches Critical SQL Injection and File Read Vulnerabilities CVE-2023-23752

Key Takeaways Critical vulnerabilities in the Novarain/Tassos Framework affect numerous Joomla extensions. These flaws enable unauthenticated SQL injection, arbitrary file reading, and file deletion....

Emy Elsamnoudy
Emy Elsamnoudy
February 16, 2026 3 Min Read
53 0

Key Takeaways

  • Critical vulnerabilities in the Novarain/Tassos Framework affect numerous Joomla extensions.
  • These flaws enable unauthenticated SQL injection, arbitrary file reading, and file deletion.
  • Successful exploitation could lead to remote code execution and full administrator control over affected websites.
  • Patches are available and administrators are urged to update immediately.

A series of critical security vulnerabilities within the Novarain/Tassos Framework, widely utilized by various Joomla extensions, expose websites to severe risks including unauthenticated file reading, file deletion, and SQL injection. If left unpatched, these flaws present a direct path to remote code execution (RCE) and complete administrative compromise of affected Joomla installations.

Table Of Content

  • Key Takeaways
  • Exploitation Chain and Impact
  • Affected Components and Impact
  • What You Should Do

An in-depth analysis of the shared Novarain/Tassos Framework plugin, identified as plg_system_nrframework, revealed three fundamental security primitives. These were exposed due to insufficient validation within an AJAX handler responsible for processing the task=include action.

Exploitation Chain and Impact

Attackers can leverage this entry point to invoke specific PHP classes located within the Joomla site’s root directory that implement an onAjax method. This effectively transforms internal helper classes into remotely accessible “gadgets” that can be manipulated.

One such gadget involves a class that improperly handles CSV loading. This flaw can be coerced into reading arbitrary files accessible to the webserver user, potentially exposing sensitive configuration or user data.

Another vulnerable class exposes a “remove” action, allowing the deletion of attacker-specified file paths without adequate validation. This could lead to denial-of-service or pave the way for further system compromise.

A third critical flaw lies within a class designed for dynamic field population. This class passes attacker-controlled parameters directly into database queries, creating an SQL injection primitive. This vulnerability allows for the reading of arbitrary tables and columns under the Joomla database account, including sensitive administrator session data.

By chaining these capabilities, an external attacker can steal administrator session information from the database, gain access to the backend, and then deploy malicious extensions or modify templates to achieve persistent remote code execution, culminating in a full site takeover.

Affected Components and Impact

The vulnerable Novarain/Tassos Framework is integrated into several popular Joomla extensions, meaning many websites inherit this risk indirectly. These include Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack.

Component / Extension Affected versions
Novarain/Tassos Framework (plg_system_nrframework) v4.10.14 – v6.0.37
Convert Forms v3.2.12 – v5.1.0
EngageBox v6.0.0 – v7.1.0
Google Structured Data v5.1.7 – v6.1.0
Advanced Custom Fields v2.2.0 – v3.1.0
Smile Pack v1.0.0 – v2.1.0

The impact extends to various versions of the Novarain/Tassos Framework (plg_system_nrframework) and specific releases of each listed extension. Exploitation remains possible as long as the system plugin is enabled on any internet-facing Joomla site.

Given that the attack vector relies solely on unauthenticated AJAX requests, conventional hardening measures such as restricting administrative access or adding extra passwords are insufficient to prevent compromise. Once an attacker can read or delete files and query the database, plugin-level secrets offer no additional defense.

The vendor has responded by releasing updated builds of the Tassos Framework and all affected extensions. These patches are available through the official download sections and standard Joomla update mechanisms. The vulnerabilities were independently discovered by security researcher p1r0x in collaboration with SSD Secure Disclosure.

What You Should Do

  • Update Immediately: Administrators must promptly update all Novarain/Tassos components and affected extensions to their latest patched versions.
  • Disable Temporarily: If immediate patching is not feasible, temporarily disable the plg_system_nrframework plugin and any related extensions on exposed sites.
  • Filter Traffic: Implement defense-in-depth by restricting or filtering com_ajax traffic at the web server or Web Application Firewall (WAF) level.
  • Monitor Logs: Regularly review web server and application logs for suspicious task=include requests, unusual CSV-related AJAX activity, or unexplained file deletions, which could indicate attempted exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurity

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

New Matryoshka Clickfix Variant Exploits macOS to Deploy Stealer Malware

Next Post

Critical Ivanti EPMM CVE-2023-35078 RCE Exploited by Single IP Address

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us