Helix Ultimate – critical flaws in the AJAX handler (no login)
Secure version: Helix Ultimate 2.2.7 · via JoomShaper (account required)
At a glance
What is this about?
Helix Ultimate is JoomShaper's current template framework (a template together with a system plugin). It registers an AJAX handler that Joomla runs via the standard com_ajax endpoint even for completely anonymous visitors. Before version 2.2.7, several of these actions did their work without first checking a login or a permission.
The most serious is an unauthenticated write access to the menu settings: because the menu content was not sanitised before output, it can be used to permanently store malicious script that then runs in visitors' browsers – and even in the administrator session (stored XSS). On top of that there is a path-traversal flaw that let file deletions reach anywhere inside the Joomla folder, an open redirect and an unprotected template export.
The fix has been available since 7 July 2026 as Helix Ultimate 2.2.7; it puts the missing login and permission checks back across every AJAX action, confines the file paths, validates redirects and cleans the menu output. Because there was no 2.2.5 or 2.2.6, every older version is behind – many installs are still on the 2.1 or even 1.1 line. No CVE number has been assigned so far.
Am I affected? – How to check
- Open the back end
Log in to the Joomla administrator (the address ends in
/administrator). - Go to Extensions
Open Extensions›Manage›Manage and filter for
Helix Ultimate. - Read the version
Read off the installed version. If it is below 2.2.7, the installation is vulnerable and should be updated immediately.
- Watch for traces
Check menus and mega-menu settings for links or scripts you didn't add, and your Users list for unknown Super User accounts.
How to fix it
- Open the Update center
Go to System›Update›Extensions and click Check for updates.
- Update every Helix Ultimate part
Update every Helix Ultimate entry offered to 2.2.7 (system plugin and template, and possibly a template installer) – not just one of them.
- Verify success
Then confirm that 2.2.7 is shown everywhere.
Official source: via JoomShaper (account required). Make sure you have at least Helix Ultimate 2.2.7.
Has the site already been attacked?
.htaccess, index.html) are still present, and whether template style settings were changed. If you find something, grab evidence first, then clean the whole site and change all passwords and secrets.Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.
Sources & further reading
- Detailed analysis – Website-Bereinigung.deBackground and clean-up
- Original advisory – mySites.guruThe advisory that confirmed the flaw
- Joomla Vulnerable Extensions List (VEL)Community-run list of vulnerable extensions
The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.deSpecialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.
Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.
Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.
bauschildundservice.deProfessional IT support from Czechia – Windows management, domain administration and web hosting.
defendersoft.cz