Cybercriminals have been caught actively exploiting security flaws in two widely used Joomla extensions, iCagenda and Balbooa Forms, according to security researchers. The vulnerabilities allow attackers to achieve maximum severity ratings on compromised websites, giving them near-complete control over affected systems. Joomla, the open-source content management system (CMS), is estimated to power more than a million websites globally, including a significant number of UK small businesses, charities, and public sector organisations.
The exploited extensions — iCagenda, a calendar and events management tool, and Balbooa Forms, a form builder — are popular among Joomla users for adding functionality without custom coding. Security experts warn that the bugs enable attackers to inject malicious code, steal data, or deface websites. The UK's Information Commissioner's Office (ICO) has previously highlighted the risks of unpatched CMS extensions under data protection law, particularly where personal data is processed.
For UK businesses, the implications are serious. A compromised website can lead to reputational damage, loss of customer trust, and potential fines under UK GDPR if personal data is breached. The ICO has the power to levy penalties of up to £17.5 million or 4% of global turnover for serious breaches. Small and medium-sized enterprises (SMEs), which often rely on Joomla for cost-effective web presence, may lack the resources to patch vulnerabilities quickly.
Regulatory context is also evolving. While the EU AI Act does not directly apply to CMS extensions, the UK's broader cybersecurity framework — including the Network and Information Systems (NIS) Regulations and the upcoming Product Security and Telecommunications Infrastructure (PSTI) Act — places duties on organisations to secure their digital supply chains. Experts note that third-party extensions represent a weak link that attackers routinely target.
Dr. Eleanor Shaw, a cybersecurity researcher at the University of Cambridge, commented: 'Extensions are the Achilles' heel of open-source CMS platforms. Businesses often focus on patching the core software but neglect third-party add-ons. This is a classic example of supply chain risk in the digital world.' She urged UK site owners to audit their extensions immediately and apply any available updates.
For UK consumers, the risk is indirect but real: compromised websites can be used to deploy phishing pages, steal login credentials, or distribute malware. The National Cyber Security Centre (NCSC) advises users to ensure websites they interact with are running up-to-date software and to be cautious of unexpected pop-ups or requests for personal information.