Support

Admin Tools

#42630 Problem with YOOtheme pro 5

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.4.2
PHP version
8.4.5
Admin Tools version
7.8.4

Latest post by webfeuerflo on Wednesday, 14 January 2026 09:08 CST

Wednesday, 14 January 2026 06:13 CST

webfeuerflo

I just noticed a problem with the new YOOtheme pro 5 update. If you want to access the yootheme builder directly from within an article with clicking on the "YOOtheme" button in the article, I get a "Forbidden. You don't have access to this ressource" error. 

I have to disable the "Protect against common file injection attacks" feature in the htaccess maker to make it work again.

the blocked url looks like this: https://www.example.com/administrator/index.php?option=com_ajax&p=customizer&templateStyle=9&format=html&site=https%3A%2F%2Fwww.example.com.at%2Fblog%2F20-achievement-unlocked&return=https%3A%2F%2Fwww.example.com%2Fadministrator%2Findex.php%3Foption%3Dcom_content%26view%3Darticle%26layout%3Dedit%26id%3D20

Wednesday, 14 January 2026 07:36 CST

nicholas

It sounds like you have found a solution to your problem which is caused by the fact that YouTheme chose to use raw URLs in GET requests, something which is discouraged and does trigger various security protections (not just Admin Tools). The correct way is how Joomla does it, using base64 encoding. This is something well-understood and known since the Joomla 1.0 release 20 years ago.

If you ask me if it's safe to disable this feature, yeah, it's not the end of the world. It blocks some extremely rare attacks. If you had asked me about something like "Front-end protection" I would have said hell no, you can't disable that, I've seen thousands of sites which would've been hacked by past 3PD extension vulnerabilities had it not been for this feature.

In the end of the day I can't force YouTheme to write their software better, and not for lack of trying. All I can on my end is give you options to loosen security on your site enough to run YouTheme's software. It's ultimately up to you to balance convenience and security on your site. There is no one-size-fits-all answer. It always depends on your use case and your priorities.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 14 January 2026 09:08 CST

webfeuerflo

Thank you, I pass it on to the yootheme developers

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!