A maximum severity vulnerability in Widget Factory’s Joomla Content Editor (JCE) extension for the Joomla content management system is being exploited in automated attacks allowing unauthenticated remote code execution (RCE).The vulnerability, tracked as CVE-2026-48907, was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, giving federal civilian executive branch agencies three days to remediate it under CISA’s latest binding operational directive.Joomla is a free and open-source content management system (CMS) used for about 1.2% of websites, according to W3Techs, making it the fifth-most widely used CMS. Joomla Content Editor (JCE) is one of the most widely used Joomla extensions, used by about 83.7% of Joomla sites as of 2020, according to Watchful.CVE-2026-48907 enables an attacker to create a new editor profile via JCE with no authentication, which then allows them to upload and execute arbitrary PHP files on the web server. According to mySites.guru, attackers have exploited this flaw to drop webshells on hundreds of sites and a public proof-of-concept exploit was published to GitHub on June 9.“This is automated tooling spraying the same exploit at every JCE install it can reach, so a site with no public registration is not safe,” mySites.guru stated.Widget Factory urges JCE users to update to version 2.9.99.6 immediately and review their sites for signs of exploitation. While version 2.9.99.5 fixes the original flaw, the latest version adds additional hardening of input validation and narrowing of entry points and is recommended by JCE’s maintainers.Site owners are advised to check editor profiles for unrecognized entries, especially those with PHP and other script files in their Permitted File Extensions. Widget Factory also said an altered front-end editor, with stripped-down or missing toolbar, is a potential sign of exploitation.Checking web server access logs for unauthenticated requests to the profile import task “index.php?option=com_jce&task=profiles.import” was noted as the most reliable way to confirm compromise, and site owners are recommended to restore sites to backups from before the earliest unauthenticated request.The images, media and tmp folders should be checked for any PHP files, as these folders ordinarily should not contain any PHP files; Widget Factory noted that the images folder is the default location when an upload path is not specified.If signs of compromise are discovered, site owners should keep a copy of the suspicious profiles and files for investigation before deletion, delete all files created by these profiles, change passwords for admin logins, databases, hosting access and file transfer protocol access and run a full malware scan on the server.Widget Factory also released a free patch package for earlier versions of JCE that cannot be updated to CE 2.9.99.6 and noted that mySites.guru can perform a free audit to scan sites for compromise.“One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind,” the JCE maintainers wrote.
Vulnerability Management, Patch/Configuration Management
Max severity Joomla Content Editor extension flaw targeted in automated attacks
(Credit: monticellllo – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds