Klik & Pay is included in VirtueMart 2.6.14 and VirtueMart 3.0.2

We are pleased to announce the release of VirtueMart 2.6.14 and VirtueMart 3.0.2.

Klik&Pay included in VirtueMartKlik & Pay is a holistic secured payment solution accessible via PC, tablets and/or smartphone. Partners with many Banks and International acquirers, Klik & Pay assists its merchants for 15 years, in France, Europe and all over the World. Klik & Pay is:

  • A global solution not requiring a DSA
  • A competitive pricing, without monthly fees nor set-up fee
  • An anti-fraud scoring linked to an account with or without 3D Secure
  • A multi-lingual staff available by telephone and email
  • A consulting service to help you to develop your business and assist you at an International level

Optimize your conversion rate:

  • Multi currencies cashing
  • Multi lingual payment pages
  • 3DS and non 3 DS merchant account with trigger point

Increase Sales:

  • Virtual Payment Terminal
  • Payment by email
  • Payment by SMS

Secure your activity:

  • Anti-fraud scoring system
  • Transaction Management
  • Litigation support

 Open an account or send us an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

If you already have a Klik & Pay merchant account, you can directly set it up using our payment plugin Klik & Pay provided in VirtueMart.

klikandpay screenshot

We worked a lot on the new Virtuemart 3.0.2 . The update should be easy. There will be a lot database changes, but they are many, but minor. It will increase the speed of your page noticeable. Bugs fixed:

  • increased consistency of the install.sql and reduced int size for better performance
  • extra attachment should now be sent to the shopper and not vendor as intended
  • added itemId to products
  • fixed "typo" in calculationh.php
  • vmJsApi the function addJScript is not anylonger overwriting the attribute "written" if exists already
  • set CacheTime to minutes
  • fixed javascript for tinyMce 4, removed the doubled // of the flag link
  • fixed typo in plugin.php
  • Better use of loading the xml parameter into the JForm (thx Kainhofer)
  • enhanced modals (thx Spyros)
  • sortSearchListQuery or products model uses getCurrentUser now to ensure that the correct id is set (Thank you Stan Scholtz)
  • removed a lot deprecated getSetError(s)
  • vmTable is not derived anylonger from JTable, derived functions added
  • optimised joomla tables for fullinstaller
  • Some more adjustments of VmTable for J3, using dummy interfaces
  • fixed spec file font problem, if no spec files there
  • users allowed to adminstrate shoppers can now also select shoppers in the cart
  • removed old comments, vmdebugs,...
  • changed all <span class="product-field-display"> to <div class="product-field-display">

We still support vm2.6 and there is also no EOL set yet. But new features will be found in VM3. The update to vm2.6.14 should be very user friendly. Bugs fixed:

  • jQuery fix for automatically redirection to payment providers
  • PDF works with diskcache now, less problems with images in invoice
  • Authorize.net works now also with extra ST address
  • small fixes, enhancements, removed typos for different payments

VirtueMart 3 continues to set global benchmarks

Compatible with Joomla 2.5 and Joomla 3, the new generation of the eCommerce solution VirtueMart is now available with many new easing features. Built with the experience of more than 10 years VirtueMart 3 provides you with a powerful and comprehensive eCommerce solution. We give you a flavour of the work we have done to provide you with one of the best open-source e-commerce solution around!

This new generation of the ecommerce platform VirtueMart includes many new features under the hood and is a continuous development of VM2. Our main focus was to make it compatible with Joomla 3, cleaning the architecture, increasing the stability, and increasing the performance. In short: looking superficially at VirtueMart 3 it looks and works almost as VM2, but the feeling and handling is different.

Thousands of man hours have been spent and countless changes have been done updating and enhancing VirtueMart. We are happy and thank the many dedicated developers and store owners that helped to test and provide positive feedback on this most recent version.

VM2 to VM3 is an upgrade, implemented using the Joomla install manager - it does not require a migration (as was the case for VM1 to VM2). We have maintained as much compatibility as possible with VM2 but we have had to make some changes in order to deliver the improvements in VM3.

Your Shoppers and Store Owners benefits

Shoppers will be delighted by the enhanced speed, add to cart buttons in the category browse view, and simpler checkout. Shop owners will notice the enhanced backend speed and simplified customfields. Shop builders will find a lot more tools to fulfill the wishes of their customers.

The ajaxified reload of product variants and neighboured products enhance the browsing experience significantly. To ensure proper loading of JavaScript we had to implement our own Javascript loader. We may extend this feature also to other views for example the pagination of the product browse page.

New internal program caches reduce the sql queries for the most used tasks by more than 25%. Heavy functions are additional cached with the Joomla cache.

Developers benefits

The new core has an advanced cart with enhancements to provide better update compatibility. For example the new custom userfields include now an option to be displayed on the checkout page and can use their own overridable mini layouts, making it easy to adjust the cart to legal requirements without touching the template. The data stored in the session is minified, which can be easily modified by plugins (for example to adjust the weight). The cart is automatically stored for registered users. The cart checks also for any reload of the available quantity of the items and corrects it if needed.

You can re-use your layouts by using the new sublayouts (like minilayouts). They give your store a consistent appearance and make it easier to adjust standards for different layouts in one overridable file. The input data is very unified which makes it stable against updates. This is very handy for the native "add to cart" button and customfields in the category browse view. New parameters in the Joomla menu settings for virtuemart views and modules provide more flexibility and better joomla integration.

Frontend managing combined with the Joomla ACL now allows your vendors to directly access the VirtueMart backend from the frontend, without having access to the Joomla backend. The system now provides different modes for different multivendor systems. VM3 is now prepared to work with a sales team, or shipment team.

We reduced the dependencies on Joomla, but increased on the other hand the integration. For example, the core now uses only the JFormFields of Joomla 2.5 and not any longer the old vmParameter, but we added vRequest (MIT) as choice for JInput. Developers can now use the normal JFormField joomla conventions for all plugins.

Customfields refined

With new options, redesigned and a lot more flexible to use. In VM2 you had to override none or all customfields of the parent. In VirtueMart 3 you can disable or override each customfield independent of the others. This makes creation of product variants a lot easier and faster. The new child variants gives the possibility to display products with up to 5 rambifications (can be increased), which depend on each other. Very important is also the new behaviour that you can use one customtype as often you want for one product.

"Additional Shoppergroup" is a new feature for shoppergroups, which does not replace the default groups. This is very handy if you use the default shoppergroups for calculation.

jQuery clearance

The new jQuery versions are now mainly the same as in Joomla 3.3 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete). Shops using Joomla 2.5 with VirtueMart 3 also benefit from this. It prevents needless configuration problems.

Extensions ready for VM3

All changes in the API have been deeply tested and most 3rd party developers have updated their extensions already. The whole core and extensions are now working with the new abstraction layer (vmText, vRequest,...). Please visit http://extensions.virtuemart.net for updates of your extensions.

Customer experience

Will benefit from a smoother shopping experience:

  • Improved page load speeds
  • The ability to add products and their variants to the cart directly from the category browse view
  • Simpler checkout process helping to reduce cart abandonment
  • Predicted shipping costs prior to full address entry
  • Cart contents for logged in users are stored to allow checkout at a later time
  • For multi lingual stores, we now have a language fallback to the default language for non-translated text

Merchants and Shop Builders

Will see significant improvements, such as:

  • The most advanced VM available to date
  • Increased backend performance
  • Simplified process for adding and implementing product customfields
  • Enhanced parameters for displaying related products and categories
  • Additional parameters for the views in the joomla menu configuration
  • Easily add and configure your own shopperfields directly useable in the shopping cart
  • Increased ability to Restrict/Manage employee access to key functions using ACL

Template developers

  • Easily maintain a consistent appearance across multiple views using new Sub-layouts
  • Improved CSS gives a starting point for use in responsive designs

Create your market place

  • Different modes for multivendor
  • Full front end administration

Enhancements from a technical perspective

The team's significant points of focus were:-

  • Compatibility with Joomla 3
  • Clean architectural structure
  • Increased stability
  • Increased performance both for the front and backend
  • New internal program caches reduce the sql queries for the most used tasks by more than 25%
  • Reduced dependency on Joomla where appropriate.


  • Uses only the JFormFields
  • Reduced jQuery conflicts as we now mainly implement the same as Joomla 3.4 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete).
  • Core and extensions are now working with a new abstraction layer
  • The xml files have also been updated to J2.5 style
  • New JavaScript Handler for ajaxified product details reload

How to update

Do NOT upgrade straight into live - you should run upgrades on a test version of your store and thoroughly test BEFORE considering a live upgrade

Please read http://docs.virtuemart.net/tutorials/installation-migration-upgrade/198-upgrade-virtuemart-2-to-virtuemart-3.html for additional information.

Some useful tutorials for templaters and developers

Are available on our documentation center:

Support the project

If you like what we do, consider supporting us with a Membership.

VirtueMart 2.6.12 is released, Special Realex offer

We are pleased to announce the release of VirtueMart 2.6.12

Special Realex Offer

Realex Payments, one of Europe’s fastest growing payment solution providers, is delighted with its latest integration with Virtuemart, the free online shop solution. The integration with Virtuemart provides ecommerce merchants with a one-stop solution for merchant online payment processing. To mark this latest release, Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Improve your online conversions with Realex Payments’ latest shopping cart integration with VirtueMart.

VirtueMart 2.6.12 includes Realex

Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Sign Up today

VirtueMart 3 almost ready to launch

We release VirtueMart 3 next week.

You have not tested yet? it is time to do it.

You think you found a bug? please report it on the forum.

Your are a 3rd party VirtueMart developer? Test your extension against the new version.

Updates and bug fixes VirtueMart 2.6.12

  • Category tree cache considers language now
  • Realex: handling503; incorrect eci being submitted when card type is mastercard and eci value returned is 2;returntovm: missing option com_virtuemart; 503 dont block transactions; invalid payment infos errorcode 509; maestro cards, redirect in case of payment details error; added partial refund and partial capture
  • Klarna: ok with opc off; country names; company/private fixed
  • Vmpdf uses folder VMPATH_ROOT instead of K_PATH_IMAGES
  • Encrypted data is stored encrypted in vmtable cache
  • Installation routine shows right options for fullinstaller
  • VmTable, enhanced Cache and other optimisations
  • Payments autosubmit jquery
  • Added VMPATH_ROOT constants for compatibility with VM3
  • Fixed recipient in invoice/view.html.php rendermaillayout
  • Controller alias vmplg
  • AIO: removed permission checking, list installed plugins
  • Unpublished the uk states
  • Permissions use joomla and/or virtuemart
  • Storemanagers can edit orders now (as requested)
  • Removed "displayed name" from order edit address
  • Loadvmtemplatestyle should now always load the fe style even fired from BE
  • Preloading js
  • Enhanced Registration email added address,
  • Fixed typo in config/checkout
  • Vmtable: added bindto
  • _getlayoutpath: checks if layout is in plugin folder and then plugin subfolder
  • Access to update tools does not use issupervendor function anylonger
  • Fixed error in shoppergroup list, that ordering for ids deleted the "default" shoppergroup 
  • Added order status list for desired attachment order status 
  • Readded to continue_link_html the class in the link class="continue continue_link"
  • Added attachment for mail. Use attach_os as array in the config file for the desired orderstatus 
  • Added option reuseorders, also settable by config file.
  • Minor in userfields load function
  • Payments using json_encode
  • Shopper group name in payment/shipment
  • Just added the filter for the dot again (slug creation)
  • Joomla update server fix

Security release of vm2.6.10 and vm2.9.9b

If you are using a version lower than 2.6.10, you should update right away.

During a routine audit done by the Sucuri firm, they found a critical vulnerability and informed the VirtueMart team.
The bug was immediately patched (in record time) and the version 2.6.10 (stable version) and 2.9.9b (in RC state) fixes this issue.

If you cannot update VirtueMart, please follow those instructions.

Our Security policy

There were recently some misconceptions about our security policy. Some people complain that we are not following the "Full Disclosure" philosophy (please read Full disclosure (computer security) ). The "Full Disclosure" comes from the beginning of the open source movement and is also to see as an answer to the "non-disclosure" behavior of proprietary software vendors. The experience was that sent vulnerabilities were not fixed. So the people learnt that revealing the vulnerability in public lead to a fast reaction of the blamed company. The evil guys of this business just started to blackmail companies.
There are of course also some other advantages. In case of Linux kernels, the idea is that all together work on a fix for it. The leaks are often a lot complexer and so the more people know about the faster it is fixed. Furthermore anyone should be able to learn from the leak to prevent the issue in future.

In our case, the most security leaks are fixed within minutes, maybe within 1-2 hours. So the argument, the more people the faster a fix is ready is not suitable for joomla/extensions. So we are following the philosophy of the "responsible disclosure" (please read Responsible disclosure ). Also sucuri.net is following this idea. They are professionals and know how to handle a vulnerability for the best of all users. They informed us secretly about the problem. We fixed it within a day, they tested our fix and asked if it is the right time to inform their customers. We did the most important thing, to provide a fix, only missing was the "responsible disclosure". So I agreed, but misunderstood them, because I did not meant that they disclosure the vulnerability in detail. A correct disclosure in our environment (php, opensource) must also always contain an explanation to fix the issue manually. The other reason is that the problem is actually in the joomla user "model" , and it should be also fixed in the JUser to prevent misuse of it before we should do the "Full disclosure". Persuading the joomla developers to protect their model got complexer than thought. Their argument is that there is no problem as long as you are using the Joomla Form. We got just stuck and must now prepare an explanation, why it is always bad to allow any form to override internal variables of an object.

How to get the security fix without updating VirtueMart

If you cannot update VirtueMart, there are two possibilites:

Exchange the file models/user.php

The easiest way is just to exchange the user model with the new one:

  1. Dowload the latest version (VirtueMart 2.6.10 or VirtueMart 2.9.9b)
  2. Replace the file /administrator/components/com_virtuemart/models/user.php with the new one.

The user model is almost untouched for a year, so you should first try just to exchange the model.

Patch the user.php file

If you think your user model is too heavily modified, it is enough to add a unset($data['isRoot']); to the top of the user store function:

  1. Go to /administrator/components/com_virtuemart/models/user.php
  2. Search for the function named function store(&$data,$checkToken = TRUE)
  3. Replace if (!$user->bind($data)) { with
    	$whiteDataToBind = array();
    	$whiteDataToBind['name'] = $data['name'];
    	$whiteDataToBind['username'] = $data['username'];
    	$whiteDataToBind['email'] = $data['email'];
    	if(isset($data['password'])) $whiteDataToBind['password'] = $data['password'];
    	if(isset($data['password2'])) $whiteDataToBind['password2'] = $data['password2'];
    	} else {
    		$whiteDataToBind = $data;
    // Bind Joomla userdata
    if (!$user->bind($whiteDataToBind)) {

We just creating a new array and setting any variable manually (white list).

The real problem behind all this

The JUser model bind function just loops through the properties of the class and sets data with the same name to the object. The filtering is done by an attached JForm (Gui elements) to filter the input of the data. So if developers use the joomla model without form, they have to filter the data themself, else it is possible to override internal variables of the object.
The binding for normal JTables does not override internal variables as long you follow the habit/convention to name them with a trailing underscore _. The check function additionally ensures that the data is correct. But the juser object does not follow the own joomla habits. Additionally it is very unclean to use MVC and to have a model, which needs GUI elements to do correct filtering. There exists enough tasks to use a model without any GUI. For a developer just using the joomla API it is like a trap. A model should be secure by itself, without the need of a "View" or "Controller" to be safe. SCNR, but joomla 2.5.16 fixed a security leak in some the JFormFields. So other solutions based on that were also very unsecure for years.

The suggested fix in the joomla user model is very easy. Just unset the sensitive data, if a user is not admin. This should be done in the bind function and in the store function. The advantage lays on the hand.
A lot other extensions for joomla become more secure. It is very unlikely that only VM has this problem.
People can do a small joomla update and still use their modified extensions.

Personally I see the request for full disclosure as a typical academic, but noobish request. Not only the good guys learn from disclosures. The black hat fraction also learns from it. It is important to differ and sometimes a full disclosure makes absolut sense, but not always. It depends on the complexity of the problem, how many people already know about, the reaction of the maintainers, and so on.


VirtueMart 2.6.8 includes Realex

We are pleased to announce that Realex is now available through VirtueMart’s ecommerce solution.

VirtueMart 2.6.8 includes Realex

Sign Up today

and receive 1 month free processing!

Use the Realex Payments integration as part of your VirtueMart e-commerce solution and benefit from a seamless, no-hassle integration offering industry-leading features and support.

Why Choose Realex?

Realex Payments is a leading European payment services provider, with offices in Dublin, London and Paris. We currently process in excess of €24 billion annually for over 12,500 clients including Virgin Atlantic, notonthehighstreet.com, Vodafone, Paddy Power and BooHoo.

Some of the key reasons merchants choose us over other gateways:

  • 3DSecure - Protect yourself against fraud and chargebacks. We fully support 3DSecure, which provides additional protection should a chargeback occur.
  • Access your funds quickly - The Acquiring Banks we work with typically settle funds into your account within 2 days, unlike 7 days for some of our competitors.
  • Pricing - As you scale your business, other payment processors can very quickly become expensive. We offer a flat per transaction rate that can be tailored to your business as you grow.
  • Customer Service - We don’t believe in IVRs, simply pick up the phone and speak with a familiar voice

Realex Features

"Realex Payments are delighted to have partnered with the VirtueMart core team to build a simple to use and feature-rich integration."

Features include:

  • Processing for all card payment types
  • Major alternative payment methods (PayPal, Sofort, GiroPay, ELV, iDeal)
  • Transactions processing in 150 currencies
  • Fully PCI level 1-compliant, responsive and customisable hosted payment page
  • 1-Click checkout for a seamless checkout experience
  • Secure Card Tokenisation for recurring payments - RealVault
  • Dynamic Currency Conversion to allow shoppers to pay in their currency
  • Fraud checks: CVN, 3DSecure (incl. Amex SafeKey) and AVS
  • Comprehensive suite of fraud management tools - RealScore
  • Delayed/Deferred Settlement
  • Comprehensive Order Management (refund, void, settle) from the VirtueMart back-office
  • Plug and play access to our APIs
  • Comprehensive, configurable and flexible transaction routing capability

To Find Out More

For more information please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it. or Sign up with Realex Payments today to get one month free processing and join the hundreds of VirtueMart merchants who know and trust us to process thousands of orders per week.

Updates and bug fixes VirtueMart 2.6.8

  • Preventing double orders (3rd party developers may adjust their payments)
  • Shipment price display in product details
  • Better Itemid handling in the router
  • Thumbnail resizing if one dimension is 0 (same as already for vm3)
  • Router is using category model now, better use of already cached data
  • If One Page Checkout is disabled and Show checkout steps is activated, then the shipment and payment selection is only shown if a shipment/payment is already selected. So this give back the old VM1 behaviour
  • Little fix for shipment/payment tax with different VatTax rules
  • Fix for product cache (happened rare)
  • Lot small fixed typos, increased robustness, little enhancements


We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.