If you unpublish an insecure extension from the backend of your Joomla, a security issue still remains because a potential attacker can bypass Joomla’s index.php file and target the files of the vulnerable extension directly.

Therefore we advise you to completely remove the files and the database tables of such components from your hosting account. Usually the Uninstall process will do that for you, but still we recommend that you check the components folder of your Joomla and see whether there are any left-over files from the vulnerable component.

If so, then you should manually delete them using the File Manager in your cPanel or a regular FTP client.