03 July 2026

A number of zero-day vulnerabilities were discovered in three well-known Joomla! extensions in June 2026. If you are on an older version of Joomla! and cannot update those extensions, you can use the features provided by Admin Tools Professional to protect your site.

The .htaccess Maker can keep you safe

The vulnerabilities only allow an attacker to upload a PHP file under a predictable path to your site. For the attacker to gain access to your site, the malicious file uploaded by the attacker needs to be executed over the web.

We have, of course, predicted and mitigated this – since sixteen years ago when the very first public version of Admin Tools Professional was released.

Admin Tools’ .htaccess Maker feature for Apache and LiteSpeed servers – and its sibling features NginX Config Maker for NginX servers, and Web.Config Maker for IIS servers – are designed to mitigate exactly this kind of vulnerability. By preventing direct web access to arbitrary PHP files on your site the attacker may have still been able to upload the malicious file, but would have failed to hack you because they could not execute it.

Admin Tools proposes to enable this feature by default when you first configure it. The actual subfeatures which provide this protection, Frontend Protection and Backend Protection, are enabled by default.

Blocking the malicious uploads

Having malicious files uploaded is scary, even if they are effectivey inert. The good news is that your can configure Admin Tools to block these malicious uploads. The bad news is that by doing so you will lose access to the vulnerable feature of the affected extension.

Ideally, you should update your site to a supported Joomla version, and your extensions to their latest published version. If you cannot do that for any reason, we are documenting the possible mitigations below.

SP Page Builder

Go to your site’s administrator backend, Components, Admin Tools, Web Application Firewall, WAF Deny List. Create a new rule with the following settings:

  • Application: (Any)
  • HTTP Verb: POST
  • Component: SP Page Builder
  • View Name: asset
  • Task: uploadCustomIcon
  • Query Parameter filter type: Exact
  • Query Parameter: (leave empty)
  • Query Content: (leave empty)

You will lose access to the custom icon upload feature.

JCE

Go to your site’s administrator backend, Components, Admin Tools, Web Application Firewall, WAF Deny List. Create a new rule with the following settings:

  • Application: (Any)
  • HTTP Verb: POST
  • Component: JCE
  • View Name: profiles
  • Task: import
  • Query Parameter filter type: Exact
  • Query Parameter: (leave empty)
  • Query Content: (leave empty)

You will lose the ability to import custom profiles from a file.

iCAgenda

There has been no publicly available information about the vulnerability. However, based on the files changed between the vulnerable and the fixed release we think that the following recommendation will very likely work.

If you have access to both the vulnberable and the fixed versions of iCAgenda we would appreciate if you could message us in our Pre-sales category of our ticket system so we can ask you for a copy of each version. It would allow us to perform an exact diff between the two versions, a reproduction of what we believe is happening, and be certain about this workaround.

Go to your site’s administrator backend, Components, Admin Tools, Web Application Firewall, WAF Deny List. Create a new rule with the following settings:

  • Application: (Any)
  • HTTP Verb: POST
  • Component: iCAgenda
  • View Name: submit
  • Task: save
  • Query Parameter filter type: Exact
  • Query Parameter: (leave empty)
  • Query Content: (leave empty)

Unfortunately, we think that this will completely disable any submissions from any user, guest or logged in, which may make this extension practically unusable on your site.