A minor XSS vulnerability was present in versions prior to 3.2.6. It occurred when the features feeds and search were used together. It happened only for feed enabled, so administrators can also close the leak in earlier versions by disabling the feed functions. The URL creation of the feed function used an improper call for JRoute. So urlencoded js was executed. The problem is fixed now by using our getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value. 

Changes in VirtueMart version 3.2.6

The plugin vmLoaderPluginUpdate now redirects from the normal Joomla registration to the VirtueMart registration. The reason is that the Joomla registration is always missing the address and other VirtueMart related information. So it should not be used. The plugin provides a parameter to disable it. The normal customfields of type S or M can now use the price modifier as percentage. The shipment plugin now also works with multiple countries. The media manager has a new important function, we can now delete a media physically (not just the entry) and the thumbs are also automatically deleted. Some extra security checks were added. Version 3.2.6 is not joomla 2.5 compatible anylonger.

  • Important patch to prevent memory leak when switching languages.
  • usermodel, extra check if the already loaded user has the right id.
  • Renamed order_done layout to orderdone to be able to create a menu item.
  • New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
  • Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
  • Shipment plugin shows now also multiple countries.
  • vmJsApi, fix for correct language of the datepicker.
  • mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
  • Vendor model getVendorAddressFields does not work with internal id anylonger.
  • BE category list keeps selected category.
  • Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
  • Language dependent caching.
  • install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
  • More security for function getMyOrderDetails.
  • Enhanced search plugin.
  • Removed double // in function displayLogos in vmpsplugin.php. When the shipment/payment logo dissapeared in checkout, please read
  • Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
  • Fixed frontend manager link permission in user accountmaintenance.

You can find the full list of changes here:

Changes on the VirtueMart Website

A task force led by Stefan Schumacher finally updated our site to joomla 3.8. Lately a lot of people also noticed the trouble with our SSL certificate, issued by StartCom. Initially, Google had announced to revoke trust for certificates issued by StartCom after October 21, 2016. Our expensive wildcard certificate was issued before that date, so there was no need for action. Unfortunately Google actually phased out trust also for all older WoSign and StartCom certificates with the release of Chrome 61. If you want to read more details about this, have a look at
So we decided to use Let'sEncrypt instead, which runs maintenance free only with Certbot installed. This led to the problem that we had to update our main server completely. For this, we received fantastic help by Sören Eberhardt-Biermann, the founder of VirtueMart. All systems are finally updated and running with the latest versions. This means for that we now operate with the latest redmine version and that our SVN server got updated, too. The mail server system has also been updated, because the old system sometimes had hiccups. Last but not least we also updated to php7.