Tassos Marinos Tassos Marinos Joomla Extensions

Security Update: Arbitrary File Deletion Vulnerability Fixed

Tassos Marinos
Tassos Marinos
Published in Company News
2 weeks ago
3 min read
Last updated 17 hours ago
Security Update: Arbitrary File Deletion Vulnerability Fixed

On March 5th, 2026, a security researcher named Leandro Vallimasked responsibly reported an arbitrary file deletion vulnerability in the file upload and gallery fields across several of our extensions. We reviewed the code, hardened the affected delete endpoints, and shipped patched versions. The issue is fully resolved.

In This Article

What was the issue?

The root of the problem is in the Tassos Framework plugin, shared across all our extensions. When a visitor uploaded a file and then deleted it, the framework trusted the browser's instruction about which file to remove. It didn't check whether that file actually belonged to the upload folder.

Someone could send a crafted delete request pointing at a file they didn't upload and the server would delete it, no login required.

The fix locks deletions to the specific folder where uploaded files are stored. Any request pointing outside that folder is rejected. There's no evidence this was exploited in the wild.

The vulnerability surfaces specifically in these extensions and fields:

  • Advanced Custom Fields: File Upload field and Gallery field
  • Convert Forms: File Upload field
  • Smile Pack: Gallery module

Even if you don't use any of these, you may still be at risk. If the Tassos Framework plugin is installed on your site, it's enough.

What you need to do

Install the patched version of your extension:

Extension Joomla 4 / 5 / 6 Joomla 3
Convert Forms v5.1.6 or later v4.4.13 or later
Advanced Custom Fields v3.1.4 or later v2.8.13 or later
Smile Pack v2.1.1 or later v1.2.7 or later

You only need to update 1 extension to pull in the Framework fix. Updating all of them is still the better call.

Verify your installation

After updating, confirm you're running a patched version:

  1. Log in to your Joomla Administrator
  2. Go to Extensions → Manage → Installed
  3. Confirm each affected extension is at or above the versions listed above
  4. Go to System → Plugins, search for Tassos Framework, and confirm the version is 6.1 or later

If both check out, you're protected.

If you need help updating, open a support ticket and we'll sort it out.

Important: Check for Leftover Framework Plugin

If you've installed a Tassos extension and later uninstalled it, the Tassos Framework plugin may still be on your site.

The framework is shared across all Tassos extensions and isn't automatically removed on uninstall, to avoid breaking other extensions that may still depend on it. It can linger even when no Tassos extensions are active.

Check your site:

  1. Log in to your Joomla Administrator
  2. Go to Extensions → Plugins
  3. Search for Tassos Framework
  4. If the plugin is found:
    • Still using a Tassos extension? Make sure it's updated to the latest version
    • No longer using any Tassos extensions? Uninstall the plugin manually

Removing it ensures your site isn't exposed unnecessarily.

Join over 34.9K

Subscribers to get free Joomla tips, extension updates, and deals!

Featured Articles

Schema and Structured Data Extension for Joomla
Schema and Structured Data Extension for Joomla
Markup your content with structured data and enhance the appearance of your website with rich results. Boost Joomla SEO in a few clicks.
5.0 rate from 311 reviews
Get Google Structured Data