Joomla site owners using extensions that bundle the Novarain/Tassos Framework are being warned after a source code review identified multiple attack primitives that can be chained together to achieve administrator takeover and reliable remote code execution (RCE) on unpatched instances.
The issues affect extensions that ship the same system plugin, historically called Novarain Framework and later rebranded as Tassos Framework (plg_system_nrframework), with affected products including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack.
The review describes three core primitives exposed through the framework’s AJAX handling, an unauthenticated file read, an unauthenticated file deletion, and a SQL injection condition that can be used for arbitrary database reads.
The root cause centers on an AJAX “include” task pattern that can be abused to load attacker-chosen classes/files under the Joomla site root and then invoke an onAjax handler, expanding the reachable attack surface beyond what a public endpoint should allow.
From there, the report outlines how specific field handlers in the framework can be abused. In one path, incorrect file-type checks around CSV processing enable reads of local files accessible to the Joomla web user.
On another path, an AJAX “remove” action triggers direct filesystem deletion via unlink(). A third path uses attacker-influenced parameters in database-backed item retrieval logic, resulting in SQL injection that allows reading arbitrary tables/columns available to the configured database user.
Chaining these primitives enables practical exploitation. The write-up’s kill chain is to exploit SQL injection to harvest or influence high-privilege session data, authenticate as an administrator, and then upload a malicious extension or modify the template PHP to enable code execution.
At the same time, filesystem deletion can also be used to remove defensive gates (for example, .htpasswd) and destabilize sites during intrusion.
The vulnerabilities were credited to independent researcher p1r0x, working with SSD Secure Disclosure, and the vendor response states updates have been released via the vendor’s Downloads section.
Tassos’ own documentation confirms extensions are distributed and updated through its downloads workflow, including manual install/update via Joomla’s Extension Manager and use of a Download Key stored in the “System – Tassos Framework” plugin for auto-updates.
Administrators should treat this as an internet-facing risk and prioritize remediation. If you cannot patch immediately, turn off the affected extensions (or the plg_system_nrframework plugin) temporarily, and restrict access to ?option=com_ajax endpoints at the WAF or web-server layer.
For validation and patch management, track the vendor’s release packages and apply the latest available builds for each impacted product.
Affected versions (as reported) include: Novarain/Tassos Framework (plg_system_nrframework) v4.10.14–v6.0.37; Convert Forms v3.2.12–v5.1.0; EngageBox v6.0.0–v7.1.0; Google Structured Data v5.1.7–v6.1.0; Advanced Custom Fields v2.2.0–v3.1.0; Smile Pack v1.0.0–v2.1.0.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
