Hackers Are Breaking Into Websites Through Two Popular Joomla Add-Ons
Two widely used plugins for the Joomla website-building platform have critical security flaws that let criminals take full control of a site without needing a password. Patches exist, but attacks started before most site owners knew there was a problem.

Key points
- CVE-2026-56291, a flaw in the Balbooa Forms plugin for Joomla, carries a perfect 10-out-of-10 severity score and was being actively exploited before a patch was released on 9 July 2025.
- CVE-2026-48939, a matching flaw in the iCagenda events calendar plugin, was first exploited in the wild on 15 June 2025; fixes arrived within 24 hours.
- Both flaws let criminals upload malicious code to a website without logging in, then run that code to take over the server.
- The US Cybersecurity and Infrastructure Security Agency (CISA) added both flaws to its official list of actively exploited vulnerabilities on 10 July 2025, ordering federal agencies to patch within three days.
- Security researchers urge every organisation running either plugin to update immediately, not just government bodies.
Joomla is a free content management system, meaning software that lets businesses and organisations build and run websites without writing code from scratch. Millions of sites worldwide use it. Like most such platforms, Joomla supports plugins, small add-on programs that extend what the main software can do.
Two of those plugins have just become the entry point for a wave of attacks.
The first is Balbooa Forms, a tool for adding contact forms and file-upload features to a Joomla site. The second is iCagenda, a popular events calendar plugin. Both contain what security researchers call an arbitrary file upload vulnerability, meaning a criminal can send a specially crafted file through a normal-looking upload button on the site and the server accepts it without checking whether it is safe.
The file they upload is PHP code, a type of programming instruction that the web server then runs. Once that code is running, the attacker has what is called remote code execution, meaning they can do almost anything: steal data, delete content, redirect visitors to scam pages, or use the server to attack other targets.
Neither flaw requires a password. Anyone on the internet can trigger it.
Should website owners be worried?
Yes, immediately, if they have not already applied the available patches. The developer behind iCagenda saw live attacks on 15 June 2025 and pushed fixes that same day and the next, covering plugin versions 4.0.8 and 3.9.15. Balbooa released a patched version, Balbooa Forms 2.4.1, on 9 July 2025. Any site still running an older version of either plugin is exposed right now.
The failure mode here is a familiar one: patches dropped while attacks were already in progress. That is a zero-day, meaning criminals found and used the flaw before the software maker even had a fix ready. One thing the post-mortem will say is that the window between discovery and patch was effectively zero, so detection and rapid response mattered more than prevention.
CISA, which advises on cybersecurity across US government and critical infrastructure, added both flaws to its Known Exploited Vulnerabilities catalog on 10 July 2025, as first reported by SecurityWeek. Federal agencies face a three-day deadline to patch. In practice, every organisation running Joomla should treat that same deadline as their own.
If you manage a Joomla site, open your plugin manager today and check the version numbers on both Balbooa Forms and iCagenda. Update if needed. If you are a visitor to a Joomla-powered site and notice unusual redirects or strange pop-ups, that site may already be affected.
Update the plugin. Then check your server logs.



