Joomla! extensions from RSJoomla! - Blog

A critical flaw in the RSFiles! upload function allows unauthenticated file uploads without enforcing any file extension.

What this means is that any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

The bottom line is: update immediately to RSFiles! 1.17.12 which fixes this along some other not-reported, but less critical security issues.

Is this exploited in the wild?

Fortunately, at the time of writing, the vulnerability is not public information. It has been privately disclosed by the team at mySites.guru which we thank and recommend - they deliver fantastic services. However, as this is now disclosed, this will be exploited in the wild probably in a few hours after the new version has been released.

How to mitigate this

If you are using RSFirewall!, by default file uploads with a .php extension are silently deleted so you're protected.

Update as soon as possible

Do not rely on firewalls to keep up with this - your immediate action should be to update RSFiles! to the latest release. If updating is not possible, delete /components/com_rsfiles/controllers/rsfiles.php. This will render RSFiles! unusable, but the file contains the affected code so you won't be vulnerable.

Things to check regardless if you're affected or not

  • Any stray .php files in the downloads/ folder and in any other sub-folders;
  • Any stray .php files in the briefcase/ folder and in any other sub-folders;
  • Check if your download folders are secure - go to RSFiles - Settings - Files and tick both the 'Secure download folder' and 'Secure briefcase folder' checkboxes. This will create a file named .htaccess that disallows direct access to these folders, so files will only be served through RSFiles!.
  • Check your server's raw access logs for POST requests pointing to
    index.php?option=com_rsfiles&task=rsfiles.upload that are not preceded by a request to index.php?option=com_rsfiles&task=rsfiles.checkupload
Read more

Independence Day Sale 2026

Celebrate Independence Day with exclusive RSJoomla! deals! Save big on our premium Joomla! extensions and templates and give your website the tools it deserves.

Read more

RSParma! is a brand-new Joomla! 4, 5 and 6 template from RSJoomla!, crafted for businesses, agencies, portfolios, and professional websites. Combining a modern design with flexible customization options and excellent performance, RSParma! makes it easy to build a website that stands out on any device.

Read more

19 Years Anniversary Promotion

RSJoomla! turns 19 this year!

19 years ago, we started building Joomla! extensions with one goal in mind: creating tools that make website building easier.

Since then, a lot has changed, but one thing stayed the same: your support keeps us going. Whether you’ve been with us for years or just recently joined the RSJoomla! community, thank you for being part of this journey.

Read more