Joomla! readies patch for core vulnerability so critical it isn’t talking

Share this…

Patch to drop 1400 UTC, Tuesday. And the haste of its release suggests this is scary.

The world’s second-favourite content management system, Joomla!, is warning of a critical security hole so bad its developers aren’t saying what it fixes.

The Register understands a patch for the mystery hole will take the name of version 3.6.4 and will be published around 1400 UTC today, October 25th.

Joomla! has been downloaded more than 75 million times and runs on big ticket sites including McDonalds, Ikea, General Electric,, and major news sites.


WordPress leads the open-source content management pack with some 140 million downloads.

The Joomla! security strike team says only that it was “informed of a critical security issue in the Joomla! core” which is a “very important security fix”.

“Until the release is out, please understand that we cannot provide any further information,” the security team says.

It is difficult to speculate on the possible vulnerability and administrators should take measured steps to prepare for the release of the upcoming patch, rather than hyperventilate.

However, Jooma!’s reticence to publish details before patches are issued combined with its description of the bug as critical suggests the problem allows either data siphoning bug or server compromise.

If either scenario is thee case, administrators should expect black hats to exploit the flaw as soon as they can build exploits.

From there – based on the exploitation historical major vulnerabilities – attacks could spread to compromise Joomla! instances that remain un-patched in the ensuing days and weeks.