Joomla! released version 3.9.11 on August 13, 2019, to patch vulnerabilities found within versions 1.6.2 and 3.9.10. This latest security update fixes a vulnerability that allows for mail submission in disabled forms. 

Prior to this patch, it was possible for anyone to submit a mail submission to a form even if it was disabled. Com_contact is activated by default in Joomla! installations. This means any user running Joomla! versions 1.6.2-3.9.10 are affected by this vulnerability. With no contacts established or the functionality is disabled, the plugin should not have the ability to send an email, however, with this particular vulnerability it can still send spam emails.

It is well documented that this functionality is being exploited to send spam e-mails from Russian and Chinese domains, without the website owner’s consent. A spambot can identify the version of Joomla! that is being run and then send spam emails, even when no contacts are defined on the website. This can be problematic for website owners, as hosting providers will suspend their customer’s sites to stop spam emails from being sent through the vulnerable com_contact function.  

Joomla! has issued a security patch in version 3.9.11 that addresses this vulnerability. Even though Joomla! has issued a statement that the vulnerability is a lower severity issue, it is recommended that Joomla! site owners upgraded to the most recent version immediately. This is especially true for site owners experiencing issues with spam emails being sent from the domain.

The good news for SiteLock INFINITY customers is that these vulnerabilities will be automatically patched on their next website scan. However, in order to take advantage of the bug fix, site owners must complete a full version upgrade to version 3.9.11. For more information on automated patching services for your Joomla! site, contact us today and ask about SiteLock INFINITY. We are available 24/7 at 855.378.6200.

By Blake Collins