Manage and secure all your Joomla! & WordPress websites with ease
in a single dashboard for only $1/site/month or less

Try for free

30 days. No Credit Card.
No commitment.

Buy now

Start to manage all
your websites.

Serious backdoor vulnerability located in popular YouTube plugin for Joomla

Yesterday, the Watchful team identified a security vulnerability in a moderately popular and free Joomla add-on, the YouTube Joomla Plugin.

This plugin made it easy to embed YouTube videos in Joomla articles.

Unfortunately, the installation files available from the official plugin website included a malicious script or backdoor. The details on how this happened or who was responsible for inserting the backdoor into the installer are not yet clear.

This vulnerabilty is known to exist in the wild and although dangerous, appears to be have used primarily to insert backlinks into unsuspecting websites sites when crawled by specific search engines as you can see in this decoded sample.

How did you find this?

Finding software vulnerabilities and preventing further damage is a group effort in the Joomla community. 

Much credit goes to the following people who helped find this exploit and limit the damage:

  • Chad Windnagle (@drmmr763) for snooping out the clues.
  • Watchful's own Jeff Channel (@jeffchannell) for finding the exploit.
  • Phil Taylor (@blueflameit) for reporting the backdoor to the company hosting the website (the site was taken offline very quickly).
  • Ronni Christiansen (@redwebdk) and Tessa Merro (@TessaMero) for working together to remove the plugin from the Joomla Extensions Directory. 

 Is the website still distributing it?

No, the website was taken down by the hosting provider.

How can I check if I am using the plugin? 

In the Joomla backend, look for conent plugins with the name YouTube Joomla Plugin.

If you have multiple sites, speak to your IT department or hosting provider and have them search all your servers/accounts for either plg_content_youtube or plg_content_youtubeplugin. Be sure to search both the filesystem and database.

If your sites are Watchful-enhanced, you can also search for the plugin name from the Watchful dashboard.

I use that plugin, what should I do?

If you use the YouTube Joomla Plugin, there are three recommend number of remedies:

  1. Update the plugins to fixed versions lacking the backdoor. Sign-up below to receive the patched installers via email. 

  2. Uninstall the plugin from the Joomla backend and replace it with an alternative like OSYouTube.

Note that the Youtube Joomla Plugin — even with the backdoor removed — is no longer recommended on production websites as it uses deprecated PHP functions and appears to have no active development. 

Fixing many sites with the Watchful remote installer

If you need to patch multiple Watchful-enhanced sites, you can use the patched installers below to apply the fix to all of the sites at once  using the remote installer

Patched Installers

If you decide to keep the plugin on your existing site, the easiest thing to do is to re-install the plugin using a patched installer.

Simply complete the form below and after confirming your email address, the patched installers will be sent to you via email.

YouTube Backdoor signup

* indicates required

Why use Watchful?

You use WordPress and Joomla! in your agency.

You use WordPress and Joomla! in your agency.
Watchful works seamlessly with the two most popular website softwares: Wordpress and Joomla. And the list of supported applications is growing.
Matthew Philogene provides a great overview of all our projects. Great support, great tools, cannot live without!
Matthew Philogene /

Learn more about Multi CMS dashboard

You don’t check your websites for security problems or backups.

You don’t check your websites for security problems or backups.
Watchful helps you monitor industry-accepted best-practices and potential security issues. And if a problem arises, Watchful’s customer support is there to help you understand the problem and advise you on possible solutions.
Joe Sonne
Using Watchful is far better than having to deal with a hacked website because a site fell behind in security updates.
Joe Sonne /

Learn more about Site Audit

You manage your websites manually.

You manage your websites manually.
We started like that! But our spreadsheets and reminders quickly became very complicated. We designed Watchful to simplify website management and actually make it pleasant experience.
Kristoffer Sandven saves me from manually monitoring dozens of websites - I can keep them updated with just a few clicks from a single, slick interface!
Kristoffer Sandven /

Learn more about Remote Installer

It takes you days to update all your sites.

It takes you days to update all your sites.
Logging into websites and individually applying software updates is time-consuming and error-prone. With Watchful, we let you know what updates are available and help you apply updates across all your sites at the same time.
Jonathan Frewin
Watchful cut my monthly [maintenance] time down from days to hours.
Jonathan Frewin /
Learn more about Backup Manager

You don’t offer maintenance plans for your customers.

You don’t offer maintenance plans for your customers.
Maintenance plans are a key way most agencies generate recurring revenue and keep in regular contact with their clients. With Watchful you can offer professional maintenance plans and deliver white-label reports to show your clients the value of your work.
Martijn Boomsma
Watchful keeps us on track with updates and maintenance tasks so our clients sites are always monitored and up-to-date.
Martijn Boomsma /

Learn more about White-Label Reports

Watchful News and CMS Blog

WordPress support officially launches for Watchful - the webmasters toolbox

24 March 2017 / News

Effective immediately, Watchful now officially supports backups, updates, monitoring, and maintenance for websites powered by WordPress.

Preparations for migration to Amazon Web Services nearly complete

14 March 2017 / News

In the coming weeks, we plan to migrate our infrastructure from WiredTree to Amazon Web Service (AWS).

All News