Ethical Hacking News
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution: A Threat to Web Applications and Server Security. The U.S. Cybersecurity and Infrastructure Security Agency has warned of a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) that allows arbitrary code execution, posing a significant threat to web applications and server security.
The Widget Factory Joomla Content Editor (JCE) has a maximum-severity security flaw impacting its users. The vulnerability (CVE-2026-48907) is an improper access control issue, allowing arbitrary code execution. Unauthenticated users can upload and execute PHP code using the JCE editor extension. The issue has been patched in version 2.9.99.5 of JCE. Multiple campaigns targeting WordPress sites have been reported, including supply chain attacks using OptinMonster and TrustPulse plugins. Federal agencies have been ordered to apply the fixes by June 19, 2026. Cybersecurity experts urge website owners and administrators to take immediate action to address this vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution.
The JCE editor extension for Joomla, which is widely used by web applications and content management systems, contains an improper access control vulnerability that allows bad actors to create new editor profiles for unauthenticated users. This, in turn, enables them to upload and execute PHP code, potentially leading to the exploitation of the system. The issue impacts JCE versions from 1.0.0 through 2.9.99.4 and has been patched in version 2.9.99.5.
In its release notes, Widget Factory acknowledged that insufficient access controls permitted unauthenticated users to upload editor profiles. The agency emphasized that the vulnerability is being actively exploited, working exploit code is public, and attacks are automated. Consequently, even websites without public registration are not safe from exploitation.
Furthermore, experts have revealed that the vulnerability is being weaponized to import a rogue editor profile and use it to drop a web shell, granting the attackers a persistent backdoor on the server. Multiple campaigns targeting WordPress sites have also been reported, including one where unknown attackers compromised a website to embed a fake WordPress plugin named "Beloved PBN Entegrasyonu." This fake plugin stealthily beaconsed the site's URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page's footer.
In another campaign, Sansec detailed a new supply chain attack that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins. The threat actors injected malicious JavaScript that waited for a logged-in administrator, created a backdoor admin account, and installed a self-hiding backdoor plugin.
The disclosure comes as researchers highlight the growing concern of supply chain attacks and their potential impact on web applications and server security. With the increasing reliance on third-party components and plugins, it is essential to stay vigilant about vulnerabilities and patch updates.
In addition, federal civilian executive branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026. This emphasizes the importance of timely patching and software updates in preventing exploitation of known security flaws.
Cybersecurity experts urge website owners and administrators to take immediate action to address this vulnerability. This includes checking for suspicious editor profiles, auditing web server access logs for unauthenticated requests to the profile import task ("index.php?option=com_jce&task=profiles.import"), and applying the available patches as soon as possible.
By understanding the risks associated with this vulnerability and taking proactive measures to address it, individuals can significantly reduce their exposure to potential exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Actively-Exploited-Joomla-JCE-Flaw-Allowing-PHP-Code-Execution-A-Threat-to-Web-Applications-and-Server-Security-ehn.shtml
https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html
https://nvd.nist.gov/vuln/detail/CVE-2026-48907
https://www.cvedetails.com/cve/CVE-2026-48907/
Published: Wed Jun 17 22:58:35 2026 by llama3.2 3B Q4_K_M
