VirtueMart 3.2.14 - Security Release and enhanced invoice handling

This fairly serious XSS discovered by Mattia Furlani pertained only the administration area, so most shops are not affected. Shop owners running a multi-vendor store or fearing that their employees may use this leak should update as soon as possible.

The new core has some fixes for php 7.1 - 7.2 compatibility.

Compliance to the new french financial law

At present we have also integrated some fraud protection requirements to comply with the new French law. This includes, for example, the new invoice processing system. When an invoice was changed, the old treatment renamed the originally created invoice and created a new invoice with the same invoice number. The new treatment creates a regular new invoice number while the old invoice remains listed and accessible. We also added an order item history table. The class vmtable can now automatically save a hash to any entry. For example the order entries store a hash of the important data per line, so it is now possible to check the integrity of an entry. This system is not completed yet.

Further features:

  • Behaviour of the table object is more consistent and reliable.
  • Behaviour of payment plugins after pressing confirm in the cart and cancelling the payment is now more consistent.
  • Removed w3c validation errors.
  • Corrected routing for orderdone layout.
  • Trigger 'plgVmAfterStoreProduct', added array key "new" to $data, so that we know if a product is new or just updated.
  • Customfield date has now two extra parameters to set the initial date and year range. The initial date uses as format DateInterval, so the P0D means use the current.
  • Language files updated.
  • Long desired fix, dropdowns of prices in product edit work now directly.
  • Enhanced handling of the orderdone layout.
  • Minor compatibility enhancements of javascript and html.
  • _triesValidateCoupon is now emptied after entering a valid coupon.
  • Coupons are not automatically removed any longer when expired.
  • Full installer now also works with multilingual setup.

The full list is available here

VirtueMart 3.2.10 - Just a hotfix update

Just a hotfix update.

Here is the complete list of fixes:

  • PayPal: Check IPN provider IP extra config parameter for standard and hosted (disabled by default now)
  • Important fix for vmcrypt preventing creation of keys, if there is already an existing one.
  • important fix for the date, the call was accidently using "null" as timezone parameter, which returns the server time. Added parameter and replaced the null against a default "false", which uses then the joomla configuration for the Timezone.
  • category browse view, added "alreadyLoadedIds" to group product for the feature "omitt already loaded"

VirtueMart 3.2.8 - Bugfix Release

Unfortunately, we were a bit too fast with our security release, having found an error in the testing phase we created another small bug while we were fixing it.

VirtueMart usually sets the default Joomla frontend language as the shop language, it is this function that had an issue. Some multi-lingual shops failed to load products when the shop language was not explicitly set, or not by default in english.

We have tested this new fix and we do not see any bugs.

Finally, we dropped our dependency on SimplePie for RSS feeds and now use the JFeedFactory of Joomla to display the news and product feed on the dashboard.

Here is the complete list of fixes:

  • Fixes for search options and display of search results
  • Search plugin, added SKU (by Franz-Peter Scherer)
  • Shop language is correctly set by Joomla default front end language
  • Fixed another problem with the order language
  • While loop finding a product alias got increased to 40 (was 20) to prevent errors when child products did not find a proper alias
  • Fixed broken new Coupon
  • Fixed broken displayLogos function (was missing a DS)
  • Fixed version.php revision number
  • Fixed lost sorting of product list if a product was stored
  • Uncategorized products are listed again in the admin product list
  • The fixed thumbnail size in the product list is now set to 90px
  • Added layout of customfield to customfields list
  • vmLoaderPluginUpdate. Removed buggy isClient() against isAdmin(). So vm3.2.8 should be Joomla 2.5 compatible again
  • Browsing for products of a manufacturer now activates the subordinated settings analogous to categories
  • Removed links in Order print view (destroyed layouts without correct css)
  • Removed ShipTo address in invoice, if the address is the same as BillTo
  • Changed RSS feed, dropping simplepie and using jfeedFactory instead, see
  • fancybox/jquery.fancybox-1.3.4.pack.js got updated. Removed a little bug. See
  • Fix for the router when the URL of the product uses the language fallback
  • Fix XPF currency
  • Paybox: fix min_amount, countries and check server availability new parameter

VirtueMart 3.2.6 - Security Release and overhauled infrastructure

A minor XSS vulnerability was present in versions prior to 3.2.6. It occurred when the features feeds and search were used together. It happened only for feed enabled, so administrators can also close the leak in earlier versions by disabling the feed functions. The URL creation of the feed function used an improper call for JRoute. So urlencoded js was executed. The problem is fixed now by using our getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value. 

Changes in VirtueMart version 3.2.6

The plugin vmLoaderPluginUpdate now redirects from the normal Joomla registration to the VirtueMart registration. The reason is that the Joomla registration is always missing the address and other VirtueMart related information. So it should not be used. The plugin provides a parameter to disable it. The normal customfields of type S or M can now use the price modifier as percentage. The shipment plugin now also works with multiple countries. The media manager has a new important function, we can now delete a media physically (not just the entry) and the thumbs are also automatically deleted. Some extra security checks were added. Version 3.2.6 is not joomla 2.5 compatible anylonger.

  • Important patch to prevent memory leak when switching languages.
  • usermodel, extra check if the already loaded user has the right id.
  • Renamed order_done layout to orderdone to be able to create a menu item.
  • New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
  • Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
  • Shipment plugin shows now also multiple countries.
  • vmJsApi, fix for correct language of the datepicker.
  • mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
  • Vendor model getVendorAddressFields does not work with internal id anylonger.
  • BE category list keeps selected category.
  • Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
  • Language dependent caching.
  • install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
  • More security for function getMyOrderDetails.
  • Enhanced search plugin.
  • Removed double // in function displayLogos in vmpsplugin.php. When the shipment/payment logo dissapeared in checkout, please read
  • Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
  • Fixed frontend manager link permission in user accountmaintenance.

You can find the full list of changes here:

Changes on the VirtueMart Website

A task force led by Stefan Schumacher finally updated our site to joomla 3.8. Lately a lot of people also noticed the trouble with our SSL certificate, issued by StartCom. Initially, Google had announced to revoke trust for certificates issued by StartCom after October 21, 2016. Our expensive wildcard certificate was issued before that date, so there was no need for action. Unfortunately Google actually phased out trust also for all older WoSign and StartCom certificates with the release of Chrome 61. If you want to read more details about this, have a look at
So we decided to use Let'sEncrypt instead, which runs maintenance free only with Certbot installed. This led to the problem that we had to update our main server completely. For this, we received fantastic help by Sören Eberhardt-Biermann, the founder of VirtueMart. All systems are finally updated and running with the latest versions. This means for that we now operate with the latest redmine version and that our SVN server got updated, too. The mail server system has also been updated, because the old system sometimes had hiccups. Last but not least we also updated to php7.

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.