For the widely used Joomla template framework Helix Ultimate (from JoomShaper), version 2.2.7 was released today, July 7, 2026 - a security update you should not put off until tomorrow. It closes several vulnerabilities in an AJAX handler that Joomla also runs for non-logged-in visitors. The most serious allows an attacker, without any login at all, to write to your menu settings and inject malicious code that is then executed in your visitors' browser - and in your own admin session.

A word up front, because the names are almost the same and that is exactly what leads to patching the wrong thing: This vulnerability affects Helix Ultimate, not the older Helix3. Helix3 had its own security update to 3.1.1 at the end of June - we reported on that separately. Both frameworks come from JoomShaper, but they are separate products with their own code and their own versioning. If you use both, you need to update each one individually.

You should act promptly: the patched code has been publicly available since today. Anyone can compare it with the old version and infer how the vulnerability works - after that, it is only a matter of time before automated scanners start specifically looking for outdated installations.

What is Helix Ultimate - and who is affected?

Helix Ultimate is one of the most widely used template frameworks for Joomla. It installs as a system plugin (System - Helix Ultimate Framework) together with a template and controls the layout, header and, above all, the mega menu. Precisely because it handles the entire menu structure on so many sites, this Joomla security vulnerability is especially serious.

All versions below 2.2.7 are affected. The jump in version numbering is confusing: 2.2.4 is followed directly by 2.2.7 - there never was a 2.2.5 or 2.2.6. So there is no older version you could safely stay on. Experience shows that many installations are still far behind on the 2.1 or 1.1 line and are therefore even more vulnerable.

It is enough for the framework to be installed. Simply deactivating does not protect you: the files remain on the server, and the vulnerable AJAX endpoint can still be called directly.

How to check your installed version:

  1. Log in to the Joomla backend
  2. Go to Extensions - Manage
  3. Filter by Helix Ultimate and check the version number

If a version lower than 2.2.7 is shown there, there is an urgent need to act.

The vulnerability in simple terms

Helix Ultimate includes an AJAX handler that Joomla exposes through its built-in com_ajax dispatcher - reachable at a predictable address, completely without login. Several actions in this handler carried out their work without first checking whether the caller was logged in and authorized at all.

The most dangerous action is the one that writes to the menu settings. An outsider without an account could use it to place content directly in your menu or mega menu. And because this menu content was not sanitized before output, malicious code could be stored there - a classic stored XSS. This code then runs in every visitor's browser and, far worse, in your own admin session as soon as you open the backend. That allows an attacker to act in your name, for example by quietly creating another super user.

The menu write access is the main risk, but not the only one. The same handler also contained:

  • a path traversal vulnerability in file deletion that allowed deletion actions to target arbitrary files within your Joomla installation from outside the intended folder
  • an Open Redirect that can silently redirect visitors to external destinations
  • an unprotected template export

Version 2.2.7 fixes all of this: it restores the missing login and permission checks across every AJAX action, confines file paths so they can no longer leave their folder, validates redirects, hardens file uploads, and cleans up menu and embed output so no script can slip through anymore. (Confirmed by a direct comparison of the source code before and after the patch.)

What to do now, specifically

Update Helix Ultimate to Version 2.2.7 immediately. There are two easy ways:

  1. Joomla updater: check for updates via System - Update - Extensions and update Helix Ultimate
  2. Direct download: get the package from joomshaper.com and install it over the existing version via Extensions - Manage - Install

Helix Ultimate consists of multiple parts - the system plugin and the template, and sometimes an additional template installer plugin. Update everything that the updater lists under Helix Ultimate, not just a single entry.

Important: Simply disabling the plugin is not enough - the files remain in place and the endpoint stays reachable. And if you removed old files in a hurry, do not restore old versions from a backup; instead, reinstall 2.2.7 cleanly.

Has my site already been attacked?

Because the vulnerability can be exploited without a login and affects both menus and files, you can search specifically for traces:

  • Menus and mega menu: Check your menu items and mega menu settings for links or markup that you did not place yourself - especially injected <script> snippets or foreign HTML.
  • Template settings: Check the template options to see whether anything unfamiliar has been added under Custom Code (such as Custom JavaScript or Custom CSS), or whether settings have changed unnoticed. This is exactly where a defacement script often ends up in this type of attack.
  • User list: Watch out for super users you did not create yourself - the stored XSS targets your admin session directly.
  • Protection files: Since the deletion may have affected files, check whether your .htaccess and any index.html placeholders are still in place. If they are missing, that can be a sign of unauthorized access.

If you find any of these, treat the site as compromised. Do not simply delete the suspicious entry; instead, proceed in a structured way: secure evidence (logs, files, timestamps), thoroughly scan the entire webspace for malicious code - not just the Helix files - then change all Joomla passwords, database access, and FTP/SSH credentials, and end all sessions. A applied update does not remove malicious code that has already been placed or a foreign admin account that has already been set up.

Additional protection (not a replacement for updates): Monitoring and hardening

The update remains the first and most important step. As a second line of defense, continuous monitoring helps: if a defacement or foreign code is injected through such a menu attack, it should be noticed immediately - not only when a visitor reports it.

This is exactly what the free component HTProtect does: your SEO and defacement watchdog triggers as soon as your output changes unexpectedly, its warning list alerts you when an installed extension - such as Helix Ultimate before 2.2.7 - is known to be vulnerable, and a malware scan finds backdoors that have already been planted. The .htaccess hardening also blocks PHP execution in upload and media folders, thereby mitigating the entire class of payload-loading attacks. But none of this can replace the update.

Not sure whether your Joomla site uses Helix Ultimate or is already affected? We check that for you and, if needed, clean up the entire webspace, not just the framework. Also see our emergency help for hacked Joomla sites.

Conclusion

The Helix Ultimate security vulnerability is critical: an attacker without a login could write to your menus and use them to inject malicious code into your admin session; in addition, there was file deletion via path traversal, an open redirect, and an exposed template export. The fix has been available since today with 2.2.7. The order is clear: update to Helix Ultimate 2.2.7 today - and make sure all components are updated - then check menus, template settings, user list, and protection files. And do not confuse it with Helix3: that is a different framework with its own update.

Source: Release Helix Ultimate 2.2.7 in the official JoomShaper repository (github.com/JoomShaper/helix-ultimate) as well as the security notice from mySites.guru.

Never miss another security update!

Additional offers

Customers about us

„The conversion of our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and with impeccable results. Very good and friendly communication.“
– H. Bergmann

„Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars“
– Fernando V.

„I was unable to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out, everything was extremely affordable, fast, and good!“
– Klaus-Peter

„The site looks great – everything as before – and on PHP 7.2 – I am impressed - many heartfelt thanks!“
– Dr. Ingo Wuddel

„Since we run an online shop, it was very important to us that our site was quickly available again with full functionality for our customers. All work is carried out extremely quickly to our complete satisfaction.“ – Loewen Handels GmbH

„Very fast, reliable, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.“
– Heino B.

„The contact was exceptionally friendly, and some cosmetic additional work was taken care of on its own - as if it were completely natural. I am relieved and very grateful.“
– R. Mayer

„Great. In an absolute emergency, after 2 domains were blocked by Strato due to a hacker attack, both domains were initially temporarily back online the same day.“
– I. Radchenko

„Excellent service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏“
– Tien Sy Vuong

Website-Bereinigung.de Support Service Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm