Joomla is the second most used (after WordPress) mobile-friendly CMS (web content management system). However, unlike the most popular publishing platform WordPress, Joomla does not apply automatic security updates by default. Thus, users themselves have to update the outdated versions, once the updates have been released. The current issue is that all Joomla versions starting from 3.4.4 to 3.6.3 must be upgraded. And the reason for that regards not the prevention. The thing is that these upgrades are aimed at solving security vulnerabilities, which have already been compromised. As a matter of fact, the attacks have been pretty wild, as the cyber security provider Sucuri put it:
[…] because of the sharp increase [in attacks], it’s our belief that any Joomla! site that has not been updated is most likely already compromised.
The two critical vulnerabilities revealed the last week are the following: CVE-2016-8870, permitting to sign up for a web page despite the fact that registration is made unavailable, and CVE-2016-8869, allowing an attacker to register on a site with elevated privileges. The both of these vulnerabilities are fixed by the latest version of Joomla, which has already been released.
The users, running the versions from 3.4.4 to 3.6.3 must update these versions to the version 3.6.4 as soon as they virtually can. This latest version of Joomla CMS removes the old code. In addition to this, it patches the third crucial vulnerability CVE-2016-9081. The users should have received the e-mail from Joomla, informing about the update released. If you use Joomla and you haven’t performed any updates recently, check the Inbox folder (just not the spam one, because you can get into a bigger trouble) of your e-mail box for any e-mails sent by Joomla.
If you leave these vulnerabilities unpatched, you risk the following. Your website can undergo an attack, which can have fatal consequences not only on it alone, but the site can get exploited as a tool for compromising millions of other websites. Your web page can be included into a botnet, spreading viruses by sending spam e-mails or handling macabre DDoS (Distributed Denial of Service) attacks.