Release of VirtueMart 3.0.4

A bit earlier than expected, we have to release vm3.0.4 to close a vulnerability in the core. This is a real vulnerability, no exploit. The problem is a wrong error report setting, which can reveal the used server path for the real attack.

More and more people use php5.4 or php5.5, which has another default error handling and so they sometimes displayed Strict Errors (revealing the path). To prevent this, we added a function to disable the "Strict Standards" reporting for the "default" and "none" setting in Joomla. Unluckily, we left for a special debugging case the setting on enabled. So regardless the used configuration setting, you always got at least the "Simple" setting. Luckily it is not so easy to create warnings and errors in VirtueMart 3.

In case you don't want to update, here is the manual fix:

  1. open the file config.php at /administrator/components/com_virtuemart/helpers/config.php.
  2. Go to line 583 and replace
    ini_set('display_errors', '1');
    ini_set('display_errors', '0');

Or just download the new version.

The layout changes of the new version are just one important one for people who override the sublayout prices. The sublayout prices.php had a <div class="clear"></div> at the end, which got removed to increase the flexibility of the sublayout.

The new version contains a new sample product, the "child variant", which allows you to use up to 5 dropdowns to determine the product variant. It is similar to the stockable plugin, but allows also changing the variant data of any child directly from the parent. The handling of the feature is not perfect yet, but a good start. Feel free to share your ideas on our forum.

New features and bug fixes:

  • cleaning of the code
  • increased robustness
  • increased consistency
  • more j3 compatibility (minors)
  • added js to fire automatically the checkout (without redirect) to show directly confirm
  • link to manufacturer on the productdetail page calls the manufacturer, not any longer the product list of the manufacturer
  • the rss feed in the controlpanel is now loaded by ajax, to prevent that the controlpanel isn't loaded if rss has problems
  • custom media, related products and categories with image size parameter
  • added var to vmview "writeJs", for example to prevent writing of js in pdfs
  • added hash for categoryListTree
  • changed calculator so, that default userfield parameters are better directly set if instantiated. Less problems with tax by country for guests
  • fixed in vmplugin.php the function declarePluginParams
  • fixed trigger plgVmDeclarePluginParamsUserfieldVM3

and some more.

Klik & Pay is included in VirtueMart 2.6.14 and VirtueMart 3.0.2

We are pleased to announce the release of VirtueMart 2.6.14 and VirtueMart 3.0.2.

Klik&Pay included in VirtueMartKlik & Pay is a holistic secured payment solution accessible via PC, tablets and/or smartphone. Partners with many Banks and International acquirers, Klik & Pay assists its merchants for 15 years, in France, Europe and all over the World. Klik & Pay is:

  • A global solution not requiring a DSA
  • A competitive pricing, without monthly fees nor set-up fee
  • An anti-fraud scoring linked to an account with or without 3D Secure
  • A multi-lingual staff available by telephone and email
  • A consulting service to help you to develop your business and assist you at an International level

Optimize your conversion rate:

  • Multi currencies cashing
  • Multi lingual payment pages
  • 3DS and non 3 DS merchant account with trigger point

Increase Sales:

  • Virtual Payment Terminal
  • Payment by email
  • Payment by SMS

Secure your activity:

  • Anti-fraud scoring system
  • Transaction Management
  • Litigation support

 Open an account or send us an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

If you already have a Klik & Pay merchant account, you can directly set it up using our payment plugin Klik & Pay provided in VirtueMart.

klikandpay screenshot

We worked a lot on the new Virtuemart 3.0.2 . The update should be easy. There will be a lot database changes, but they are many, but minor. It will increase the speed of your page noticeable. Bugs fixed:

  • increased consistency of the install.sql and reduced int size for better performance
  • extra attachment should now be sent to the shopper and not vendor as intended
  • added itemId to products
  • fixed "typo" in calculationh.php
  • vmJsApi the function addJScript is not anylonger overwriting the attribute "written" if exists already
  • set CacheTime to minutes
  • fixed javascript for tinyMce 4, removed the doubled // of the flag link
  • fixed typo in plugin.php
  • Better use of loading the xml parameter into the JForm (thx Kainhofer)
  • enhanced modals (thx Spyros)
  • sortSearchListQuery or products model uses getCurrentUser now to ensure that the correct id is set (Thank you Stan Scholtz)
  • removed a lot deprecated getSetError(s)
  • vmTable is not derived anylonger from JTable, derived functions added
  • optimised joomla tables for fullinstaller
  • Some more adjustments of VmTable for J3, using dummy interfaces
  • fixed spec file font problem, if no spec files there
  • users allowed to adminstrate shoppers can now also select shoppers in the cart
  • removed old comments, vmdebugs,...
  • changed all <span class="product-field-display"> to <div class="product-field-display">

We still support vm2.6 and there is also no EOL set yet. But new features will be found in VM3. The update to vm2.6.14 should be very user friendly. Bugs fixed:

  • jQuery fix for automatically redirection to payment providers
  • PDF works with diskcache now, less problems with images in invoice
  • works now also with extra ST address
  • small fixes, enhancements, removed typos for different payments

VirtueMart 3 continues to set global benchmarks

Compatible with Joomla 2.5 and Joomla 3, the new generation of the eCommerce solution VirtueMart is now available with many new easing features. Built with the experience of more than 10 years VirtueMart 3 provides you with a powerful and comprehensive eCommerce solution. We give you a flavour of the work we have done to provide you with one of the best open-source e-commerce solution around!

This new generation of the ecommerce platform VirtueMart includes many new features under the hood and is a continuous development of VM2. Our main focus was to make it compatible with Joomla 3, cleaning the architecture, increasing the stability, and increasing the performance. In short: looking superficially at VirtueMart 3 it looks and works almost as VM2, but the feeling and handling is different.

Thousands of man hours have been spent and countless changes have been done updating and enhancing VirtueMart. We are happy and thank the many dedicated developers and store owners that helped to test and provide positive feedback on this most recent version.

VM2 to VM3 is an upgrade, implemented using the Joomla install manager - it does not require a migration (as was the case for VM1 to VM2). We have maintained as much compatibility as possible with VM2 but we have had to make some changes in order to deliver the improvements in VM3.

Your Shoppers and Store Owners benefits

Shoppers will be delighted by the enhanced speed, add to cart buttons in the category browse view, and simpler checkout. Shop owners will notice the enhanced backend speed and simplified customfields. Shop builders will find a lot more tools to fulfill the wishes of their customers.

The ajaxified reload of product variants and neighboured products enhance the browsing experience significantly. To ensure proper loading of JavaScript we had to implement our own Javascript loader. We may extend this feature also to other views for example the pagination of the product browse page.

New internal program caches reduce the sql queries for the most used tasks by more than 25%. Heavy functions are additional cached with the Joomla cache.

Developers benefits

The new core has an advanced cart with enhancements to provide better update compatibility. For example the new custom userfields include now an option to be displayed on the checkout page and can use their own overridable mini layouts, making it easy to adjust the cart to legal requirements without touching the template. The data stored in the session is minified, which can be easily modified by plugins (for example to adjust the weight). The cart is automatically stored for registered users. The cart checks also for any reload of the available quantity of the items and corrects it if needed.

You can re-use your layouts by using the new sublayouts (like minilayouts). They give your store a consistent appearance and make it easier to adjust standards for different layouts in one overridable file. The input data is very unified which makes it stable against updates. This is very handy for the native "add to cart" button and customfields in the category browse view. New parameters in the Joomla menu settings for virtuemart views and modules provide more flexibility and better joomla integration.

Frontend managing combined with the Joomla ACL now allows your vendors to directly access the VirtueMart backend from the frontend, without having access to the Joomla backend. The system now provides different modes for different multivendor systems. VM3 is now prepared to work with a sales team, or shipment team.

We reduced the dependencies on Joomla, but increased on the other hand the integration. For example, the core now uses only the JFormFields of Joomla 2.5 and not any longer the old vmParameter, but we added vRequest (MIT) as choice for JInput. Developers can now use the normal JFormField joomla conventions for all plugins.

Customfields refined

With new options, redesigned and a lot more flexible to use. In VM2 you had to override none or all customfields of the parent. In VirtueMart 3 you can disable or override each customfield independent of the others. This makes creation of product variants a lot easier and faster. The new child variants gives the possibility to display products with up to 5 rambifications (can be increased), which depend on each other. Very important is also the new behaviour that you can use one customtype as often you want for one product.

"Additional Shoppergroup" is a new feature for shoppergroups, which does not replace the default groups. This is very handy if you use the default shoppergroups for calculation.

jQuery clearance

The new jQuery versions are now mainly the same as in Joomla 3.3 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete). Shops using Joomla 2.5 with VirtueMart 3 also benefit from this. It prevents needless configuration problems.

Extensions ready for VM3

All changes in the API have been deeply tested and most 3rd party developers have updated their extensions already. The whole core and extensions are now working with the new abstraction layer (vmText, vRequest,...). Please visit for updates of your extensions.

Customer experience

Will benefit from a smoother shopping experience:

  • Improved page load speeds
  • The ability to add products and their variants to the cart directly from the category browse view
  • Simpler checkout process helping to reduce cart abandonment
  • Predicted shipping costs prior to full address entry
  • Cart contents for logged in users are stored to allow checkout at a later time
  • For multi lingual stores, we now have a language fallback to the default language for non-translated text

Merchants and Shop Builders

Will see significant improvements, such as:

  • The most advanced VM available to date
  • Increased backend performance
  • Simplified process for adding and implementing product customfields
  • Enhanced parameters for displaying related products and categories
  • Additional parameters for the views in the joomla menu configuration
  • Easily add and configure your own shopperfields directly useable in the shopping cart
  • Increased ability to Restrict/Manage employee access to key functions using ACL

Template developers

  • Easily maintain a consistent appearance across multiple views using new Sub-layouts
  • Improved CSS gives a starting point for use in responsive designs

Create your market place

  • Different modes for multivendor
  • Full front end administration

Enhancements from a technical perspective

The team's significant points of focus were:-

  • Compatibility with Joomla 3
  • Clean architectural structure
  • Increased stability
  • Increased performance both for the front and backend
  • New internal program caches reduce the sql queries for the most used tasks by more than 25%
  • Reduced dependency on Joomla where appropriate.


  • Uses only the JFormFields
  • Reduced jQuery conflicts as we now mainly implement the same as Joomla 3.4 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete).
  • Core and extensions are now working with a new abstraction layer
  • The xml files have also been updated to J2.5 style
  • New JavaScript Handler for ajaxified product details reload

How to update

Do NOT upgrade straight into live - you should run upgrades on a test version of your store and thoroughly test BEFORE considering a live upgrade

Please read for additional information.

Some useful tutorials for templaters and developers

Are available on our documentation center:

Support the project

If you like what we do, consider supporting us with a Membership.

VirtueMart 2.6.12 is released, Special Realex offer

We are pleased to announce the release of VirtueMart 2.6.12

Special Realex Offer

Realex Payments, one of Europe’s fastest growing payment solution providers, is delighted with its latest integration with Virtuemart, the free online shop solution. The integration with Virtuemart provides ecommerce merchants with a one-stop solution for merchant online payment processing. To mark this latest release, Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Improve your online conversions with Realex Payments’ latest shopping cart integration with VirtueMart.

VirtueMart 2.6.12 includes Realex

Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Sign Up today

VirtueMart 3 almost ready to launch

We release VirtueMart 3 next week.

You have not tested yet? it is time to do it.

You think you found a bug? please report it on the forum.

Your are a 3rd party VirtueMart developer? Test your extension against the new version.

Updates and bug fixes VirtueMart 2.6.12

  • Category tree cache considers language now
  • Realex: handling503; incorrect eci being submitted when card type is mastercard and eci value returned is 2;returntovm: missing option com_virtuemart; 503 dont block transactions; invalid payment infos errorcode 509; maestro cards, redirect in case of payment details error; added partial refund and partial capture
  • Klarna: ok with opc off; country names; company/private fixed
  • Vmpdf uses folder VMPATH_ROOT instead of K_PATH_IMAGES
  • Encrypted data is stored encrypted in vmtable cache
  • Installation routine shows right options for fullinstaller
  • VmTable, enhanced Cache and other optimisations
  • Payments autosubmit jquery
  • Added VMPATH_ROOT constants for compatibility with VM3
  • Fixed recipient in invoice/view.html.php rendermaillayout
  • Controller alias vmplg
  • AIO: removed permission checking, list installed plugins
  • Unpublished the uk states
  • Permissions use joomla and/or virtuemart
  • Storemanagers can edit orders now (as requested)
  • Removed "displayed name" from order edit address
  • Loadvmtemplatestyle should now always load the fe style even fired from BE
  • Preloading js
  • Enhanced Registration email added address,
  • Fixed typo in config/checkout
  • Vmtable: added bindto
  • _getlayoutpath: checks if layout is in plugin folder and then plugin subfolder
  • Access to update tools does not use issupervendor function anylonger
  • Fixed error in shoppergroup list, that ordering for ids deleted the "default" shoppergroup 
  • Added order status list for desired attachment order status 
  • Readded to continue_link_html the class in the link class="continue continue_link"
  • Added attachment for mail. Use attach_os as array in the config file for the desired orderstatus 
  • Added option reuseorders, also settable by config file.
  • Minor in userfields load function
  • Payments using json_encode
  • Shopper group name in payment/shipment
  • Just added the filter for the dot again (slug creation)
  • Joomla update server fix

Security release of vm2.6.10 and vm2.9.9b

If you are using a version lower than 2.6.10, you should update right away.

During a routine audit done by the Sucuri firm, they found a critical vulnerability and informed the VirtueMart team.
The bug was immediately patched (in record time) and the version 2.6.10 (stable version) and 2.9.9b (in RC state) fixes this issue.

If you cannot update VirtueMart, please follow those instructions.

Our Security policy

There were recently some misconceptions about our security policy. Some people complain that we are not following the "Full Disclosure" philosophy (please read Full disclosure (computer security) ). The "Full Disclosure" comes from the beginning of the open source movement and is also to see as an answer to the "non-disclosure" behavior of proprietary software vendors. The experience was that sent vulnerabilities were not fixed. So the people learnt that revealing the vulnerability in public lead to a fast reaction of the blamed company. The evil guys of this business just started to blackmail companies.
There are of course also some other advantages. In case of Linux kernels, the idea is that all together work on a fix for it. The leaks are often a lot complexer and so the more people know about the faster it is fixed. Furthermore anyone should be able to learn from the leak to prevent the issue in future.

In our case, the most security leaks are fixed within minutes, maybe within 1-2 hours. So the argument, the more people the faster a fix is ready is not suitable for joomla/extensions. So we are following the philosophy of the "responsible disclosure" (please read Responsible disclosure ). Also is following this idea. They are professionals and know how to handle a vulnerability for the best of all users. They informed us secretly about the problem. We fixed it within a day, they tested our fix and asked if it is the right time to inform their customers. We did the most important thing, to provide a fix, only missing was the "responsible disclosure". So I agreed, but misunderstood them, because I did not meant that they disclosure the vulnerability in detail. A correct disclosure in our environment (php, opensource) must also always contain an explanation to fix the issue manually. The other reason is that the problem is actually in the joomla user "model" , and it should be also fixed in the JUser to prevent misuse of it before we should do the "Full disclosure". Persuading the joomla developers to protect their model got complexer than thought. Their argument is that there is no problem as long as you are using the Joomla Form. We got just stuck and must now prepare an explanation, why it is always bad to allow any form to override internal variables of an object.

How to get the security fix without updating VirtueMart

If you cannot update VirtueMart, there are two possibilites:

Exchange the file models/user.php

The easiest way is just to exchange the user model with the new one:

  1. Dowload the latest version (VirtueMart 2.6.10 or VirtueMart 2.9.9b)
  2. Replace the file /administrator/components/com_virtuemart/models/user.php with the new one.

The user model is almost untouched for a year, so you should first try just to exchange the model.

Patch the user.php file

If you think your user model is too heavily modified, it is enough to add a unset($data['isRoot']); to the top of the user store function:

  1. Go to /administrator/components/com_virtuemart/models/user.php
  2. Search for the function named function store(&$data,$checkToken = TRUE)
  3. Replace if (!$user->bind($data)) { with
    	$whiteDataToBind = array();
    	$whiteDataToBind['name'] = $data['name'];
    	$whiteDataToBind['username'] = $data['username'];
    	$whiteDataToBind['email'] = $data['email'];
    	if(isset($data['password'])) $whiteDataToBind['password'] = $data['password'];
    	if(isset($data['password2'])) $whiteDataToBind['password2'] = $data['password2'];
    	} else {
    		$whiteDataToBind = $data;
    // Bind Joomla userdata
    if (!$user->bind($whiteDataToBind)) {

We just creating a new array and setting any variable manually (white list).

The real problem behind all this

The JUser model bind function just loops through the properties of the class and sets data with the same name to the object. The filtering is done by an attached JForm (Gui elements) to filter the input of the data. So if developers use the joomla model without form, they have to filter the data themself, else it is possible to override internal variables of the object.
The binding for normal JTables does not override internal variables as long you follow the habit/convention to name them with a trailing underscore _. The check function additionally ensures that the data is correct. But the juser object does not follow the own joomla habits. Additionally it is very unclean to use MVC and to have a model, which needs GUI elements to do correct filtering. There exists enough tasks to use a model without any GUI. For a developer just using the joomla API it is like a trap. A model should be secure by itself, without the need of a "View" or "Controller" to be safe. SCNR, but joomla 2.5.16 fixed a security leak in some the JFormFields. So other solutions based on that were also very unsecure for years.

The suggested fix in the joomla user model is very easy. Just unset the sensitive data, if a user is not admin. This should be done in the bind function and in the store function. The advantage lays on the hand.
A lot other extensions for joomla become more secure. It is very unlikely that only VM has this problem.
People can do a small joomla update and still use their modified extensions.

Personally I see the request for full disclosure as a typical academic, but noobish request. Not only the good guys learn from disclosures. The black hat fraction also learns from it. It is important to differ and sometimes a full disclosure makes absolut sense, but not always. It depends on the complexity of the problem, how many people already know about, the reaction of the maintainers, and so on.


We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.