End-of-Life Joomla Notice
If you received an email from me pointing you to this page, it is because your website appears to be running an end-of-life version of Joomla, the content management system your site is built on. This page explains why that matters and how to fix it.
Is this message legitimate?
Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it or exploit anything.
All I did was read a public file that your website serves to every visitor, a Joomla version manifest, and note the version number it publishes. This is the same public part of your site as your homepage. Nothing about this check touches your data, your admin area, or any private part of your site. If my email named a specific version or security issue, that came from reading that one public file, not from testing anything.
If you would like to verify who I am, see the contact details at the bottom of this page and the About page.
Why this matters
Joomla 3.x reached end of life on 17 August 2023. Earlier branches (2.5, 1.5) reached end of life years before that. End of life means the Joomla project no longer issues security fixes for that branch at all, even for serious, publicly known vulnerabilities. New flaws found after the end-of-life date are simply never patched for your version.
Attackers actively scan the internet for sites running these unsupported versions, because the vulnerabilities are well documented and easy to find. Common outcomes include website defacement (your pages replaced or altered), spam injection, and the site being used to host malicious content. If my email cited a specific CVE, it means the version your site reports falls within the range that issue is known to affect. I did not test whether your particular site is exploitable, only that it reports an affected version.
The good news: moving to a supported release closes these gaps, and there is a well-documented upgrade path.
Examples of known vulnerabilities
These are a few of the publicly documented, high-severity vulnerabilities affecting end-of-life Joomla 3.x (and earlier) branches. Because these versions are unsupported, issues like these are never patched, and the technical details are widely published:
- CVE-2015-8562: unauthenticated remote code execution via PHP object injection, affecting Joomla 1.5.x through 3.4.5. This was actively exploited in the wild.
- CVE-2017-8917: critical (CVSS 9.8) SQL injection in Joomla 3.7.0.
- CVE-2016-8869: critical (CVSS 9.8) privilege escalation through the user registration component, in versions before 3.6.4.
- CVE-2016-8870: unauthorized account creation even when registration is disabled, in versions before 3.6.4.
- CVE-2015-7857: SQL injection in the content history component, affecting Joomla 3.2 through 3.4.4.
If my email cited a specific CVE, it will be one like these: a publicly known issue whose affected version range includes the version your site reports.
How to check your version
You do not have to take my word for which version you are running.
From the public manifest (no login needed): open
yourdomain.com/administrator/manifests/files/joomla.xml in a browser. The <version>
line is the authoritative core version, and this is the same file I read.
From the admin area (if you have access):
- Log in to your Joomla administrator (usually at
yourdomain.com/administrator). - Open System, then look at the System Information / dashboard panel, which shows the Joomla version.
If the major version is 3, 2.5, or 1.5, you are on an end-of-life branch and should upgrade.
How to upgrade
The current supported major releases are Joomla 4 and Joomla 5. Always back up first (files and database) before making changes; most hosts offer one-click backups, or you can use a Joomla backup extension.
The recommended path from Joomla 3 is:
- Update to the latest Joomla 3.10.x first. The 3.10 series includes a built-in Pre-Update Check (in the Joomla Update component) that flags any extensions or templates that are not yet compatible with Joomla 4.
- Resolve incompatible extensions/templates it reports. Update them to Joomla 4/5 compatible versions, or find replacements.
- Run the migration to Joomla 4, then update onward to Joomla 5, from Components → Joomla Update in the admin.
- Download links and the current release are always at the official project: https://downloads.joomla.org.
- After upgrading, confirm the new version using the steps above and check that your site loads and edits normally.
If your site is very old (Joomla 1.5 or 2.5), the jump is larger and is often best done as a fresh Joomla 5 build with your content migrated across. A web professional can do this quickly.
While you are at it, update your extensions and template too, since the same “unsupported means unpatched” principle applies to all of them.
I do not have a webmaster / I am stuck
If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.
If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.
Contact
Evan Harris, Security Researcher
- Email: security@mail.mcpsec.dev
- X: @Evan__Harris
- GitHub: eharris128
- LinkedIn: Evan Harris
I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.
References
Official Joomla sources
- Joomla CMS Development Roadmap (support and end-of-life policy: each major version is supported for at least four years)
- Joomla Developer Network: release roadmap (currently supported major versions)
- Joomla announcement confirming Joomla 3.10 security support ended 17 August 2023
- Joomla technical requirements (for current supported releases)
Third-party summary
- endoflife.date: Joomla (consolidated table of Joomla end-of-life dates)