The iCagenda extension for Joomla contains an improper access control vulnerability (CWE-284) that permits unauthenticated attackers to upload arbitrary files through the file attachment functionality. This flaw enables the upload and execution of malicious PHP code, potentially leading to full system compromise. The vulnerability has a CVSS 4.0 base score of 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Affected versions include 1.0.0 to 3.9.14 and 4.0.0 to 4.0.7. As of the published date, no official fix or patch has been released.

Successful exploitation allows remote attackers to execute arbitrary PHP code on the server hosting the vulnerable iCagenda extension, resulting in full compromise of the Joomla site and potentially the underlying server. This can lead to data theft, site defacement, or further network pivoting. The vulnerability requires no authentication or user interaction, making it highly exploitable.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the file attachment feature, disable the iCagenda extension if possible, or implement web application firewall (WAF) rules to block malicious file uploads targeting this vulnerability.