Websites running the Novarain/Tassos Framework are vulnerable to critical security flaws that allow unauthenticated file read, file deletion, and SQL injection attacks, potentially leading to remote code execution and full administrator takeover on unpatched systems.
The issues affect multiple popular Tassos extensions and require urgent patching through the vendor’s updated releases.
A source‑code review of the shared Novarain/Tassos Framework plugin (plg_system_nrframework) uncovered three core primitives exposed through an AJAX handler that processes the task=include action without proper hardening.
By abusing this entry point, an attacker can invoke PHP classes under the Joomla site root that implement an onAjax method, effectively turning internal helper classes into remotely reachable gadgets.
Within these gadgets, one class mishandles CSV loading, which can be coerced into reading arbitrary files accessible to the webserver user.
While another class exposes a remove action that deletes attacker‑supplied paths without additional validation.
A third class, used for dynamic field population, passes attacker‑controlled parameters into database queries, creating an SQL injection primitive capable of arbitrary table and column reads under the Joomla database account.
Chaining these capabilities allows an external attacker to steal administrator session data from the database, pivot into the backend, and then deploy a malicious extension or modify templates to gain persistent RCE.
Affected components and impact
The vulnerable framework is bundled into several widely deployed Joomla extensions, including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack, meaning many sites inherit the risk indirectly through these add‑ons.
| Component / Extension | Affected versions |
|---|---|
| Novarain/Tassos Framework (plg_system_nrframework) | v4.10.14 – v6.0.37 |
| Convert Forms | v3.2.12 – v5.1.0 |
| EngageBox | v6.0.0 – v7.1.0 |
| Google Structured Data | v5.1.7 – v6.1.0 |
| Advanced Custom Fields | v2.2.0 – v3.1.0 |
| Smile Pack | v1.0.0 – v2.1.0 |
Impacted version ranges include Novarain/Tassos Framework (plg_system_nrframework) and specific releases of each extension, with exploitation possible as long as the system plugin remains enabled on an internet‑facing site.
Because the attack vector relies solely on unauthenticated AJAX requests, common hardening steps such as restricting access to the admin role and adding additional passwords are necessary.
Adding plugin‑level secrets does not prevent compromise once an attacker can read or delete files and query the database.
In realistic attack chains, adversaries can exploit SQL injection to obtain super admin sessions, log into the backend, and then weaponize file-write paths to execute arbitrary PHP code, leading to a full site takeover.
The vendor has responded by shipping fixed builds of the Tassos Framework and affected extensions, available through the official downloads section and standard Joomla update mechanisms.
The vulnerabilities were discovered by independent security researcher p1r0x in collaboration with SSD Secure Disclosure.
Administrators should immediately update all Tassos components or temporarily turn off the plg_system_nrframework plugin and related extensions on exposed sites until patching is complete.
As a defense‑in‑depth step, operators should restrict or filter com_ajax traffic at the web server or WAF, and review logs for suspicious task=include requests, unusual CSV‑related AJAX activity, or unexplained file deletions that may indicate attempted exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
