The extension is currently listed on the Joomla's Vulnerable Extension list. The vulnerability is being exploited in the wild, several users have reported that someone had hacked into their website.
According to JomSocial, hackers breached JomSocial website by exploiting this vulnerability. The security experts at JomSocial have spotted the attack and released a patch for this vulnerability. While analyzing the vulnerability which is being exploited, they also discovered another critical vulnerability.
The vulnerability was discovered by a security researcher Matias Fontanini. He notified JomSocial about the vulnerability. At first, the team said that they have fixed the issue in the 18.104.22.168. However, researcher found 22.214.171.124 is also vulnerable.
The vulnerability is located in the 'photos' controller, 'ajaxUploadAvatar' task. The parameters parsed by the 'Azrul' plugin are not properly sanitized before being used in a call to the 'call_user_func_array' PHP function.
"This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters." An attacker can exploit this vulnerability by calling CStringHelper::escape function and execute arbitrary PHP code.
|HTTP Request exploiting the vulnerability|
More technical details about the vulnerability and exploit code is available here.
As you can see that exploit code is already publicly available, all JomScoial Admins are advised to upgrade to latest version of the extension (v126.96.36.199) as soon as possible.