The SP Page Builder extension for Joomla contains an improper access control vulnerability (CWE-284) that permits unauthenticated attackers to upload arbitrary files. This flaw can be exploited to upload and execute arbitrary PHP code, resulting in full compromise of the affected Joomla installation. The vulnerability affects all versions from 1.0.0 up to and including 6.6.1. The CVSS 4.0 base score is 10.0, reflecting a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. As of the published date, no official fix or patch has been released by the vendor.

Successful exploitation allows unauthenticated attackers to upload and execute arbitrary PHP code on the server hosting the vulnerable SP Page Builder extension. This can lead to complete system compromise, including unauthorized access, data theft, and disruption of service. The vulnerability has a critical CVSS score of 10.0, indicating maximum impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to restrict access to the affected Joomla extension, disable or remove the SP Page Builder extension if not required, and monitor for suspicious activity related to file uploads. Avoid exposing the Joomla administrative interface to untrusted networks. Follow vendor channels closely for updates and apply patches immediately once available.