Popular content management system (CMS) Joomla has pushed three patches, including a critical fix for SQL injection vulnerabilities that allow attackers to become admins on most customer websites.

The team issued fix 3.4.5 addressing the SQLi vulnerabilities (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858) which exist in version 3.2 to 3.4.4 and were identified earlier this month.

Joomla is used by the likes of Barnes and Noble, eBay, and Peugeot.

Trustwave's Asaf Orpani and PerimeterX's Netanel Rubin quietly disclosed the bugs which were quickly patched.

Orpani offers lengthy detail into how to exploit the attacks and notes that the VirtueMart shopping platform can be owned since it is built on the vulnerable core Joomla module.

"Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable," Orpani says.

"[It] is located in Joomla's core module, [meaning] e-commerce sites using VirtueMart are also vulnerable to exploit."

It is the first time has issued a pre-announcement ahead of a critical patch.

Other twin access control list violations (CVE-2015-7859, CVE-2015-7899) reported by the pair allowed read access to unspecified data that should be restricted, both rated moderate severity. ®