Tassos Marinos Tassos Marinos Joomla Extensions

Security Update: Tassos Framework Patch Released

Tassos Marinos
Tassos Marinos
Published in Company News
2 days ago
3 min read
Last updated 11 hours ago
Security Update: Tassos Framework Patch Released

On January 7th, 2026, an independent security researcher, p1r0x, working with SSD Secure Disclosure, responsibly reported a vulnerability in the Tassos Framework system plugin, which is included in our Joomla extensions.

Upon receiving the report, we immediately conducted a full internal code review, implemented additional validation and hardening measures, and released patched versions of all affected extensions. The issue has now been fully resolved.

What was the issue?

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

In a worst-case scenario, this could have allowed an unauthenticated actor to read files accessible to the web server. It could also have enabled deleting files from the server when specific conditions were met.

Under certain circumstances, database queries could have been manipulated to extract data from the Joomla database. In combination, these capabilities could potentially have been used to escalate access and execute unauthorized code.

There is currently no evidence that this vulnerability has been exploited in the wild.

Who is affected?

All Joomla extensions that include the Tassos Framework plugin are affected if running unpatched versions, including:

  • Convert Forms
  • EngageBox
  • Google Structured Data
  • Advanced Custom Fields
  • Smile Pack

Because the framework is shared, the fix applies globally once updated.

What you need to do

Install the patched version of your extension according to your Joomla version:

Extension Joomla 4 / 5 / 6 Joomla 3
Convert Forms v5.1.1 or later v4.4.11
EngageBox v7.1.1 or later v6.3.9
Google Structured Data v6.1.1 or later v5.6.9
Advanced Custom Fields v3.1.1 or later v2.8.10
Smile Pack v2.1.1 or later v1.2.4
MailChimp Auto-Subscribe v5.1.1 or later v5.0.4

All of the above releases include the updated Tassos Framework System Plugin v6.0.62, which contains the security fix.

Because all our extensions share the same underlying framework plugin, you only need to update one of your installed Tassos extensions. The framework will be updated automatically as part of that process.

If you have multiple Tassos extensions installed, updating just one is sufficient to apply the patch. However, keeping all extensions up to date is always recommended.

Verify the Framework version

After updating:

  1. Log in to your Joomla Administrator
  2. Go to System → Plugins
  3. Search for Tassos Framework
  4. Confirm the version is 6.0.62 or later

If the Tassos Framework version is 6.0.62 or later, your website is protected against this vulnerability.

Responsible disclosure

We thank the independent security researcher who responsibly reported this issue. Upon notification, we immediately investigated, implemented fixes, and released patched versions.

Security remains a top priority for us. If you need assistance updating or have any questions, please open a support ticket, and we will assist you promptly.

Join over 34K

Subscribers to get free Joomla tips, extension updates, and deals!

Featured Articles

The all-in-one Joomla Custom Fields Collection
The all-in-one Joomla Custom Fields Collection
Enhance Joomla built-in functionality with a huge collection of custom fields and display additional information to articles and pages easily.
5.0 rate from 151 reviews
Get Advanced Custom Fields