CISA has issued an urgent warning about a critical security vulnerability affecting the Joomla Content Editor (JCE) extension. The flaw, identified as CVE-2026-48907, has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after evidence confirmed that attackers are actively exploiting it in real-world attacks.
With a maximum CVSS severity score of 10.0, the vulnerability poses a serious risk to websites running vulnerable versions of the JCE extension. Security experts are urging website administrators to update immediately and investigate their systems for signs of compromise.
According to CISA, the vulnerability stems from an improper access control issue within the Widget Factory Joomla Content Editor extension. The flaw allows unauthenticated attackers to create new editor profiles and upload malicious PHP files to the server.
Once uploaded, these files can be executed remotely, giving attackers complete control over the affected website and potentially the underlying server.
CISA explained that the vulnerability allows the “upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.” In simple terms, attackers do not need valid credentials to exploit the flaw, making it particularly dangerous.
The issue affects JCE versions 1.0.0 through 2.9.99.4. The vulnerability has been fixed in version 2.9.99.5, which was released on June 3, 2026.
The threat has become even more severe because working exploit code is publicly available. Security researchers and Joomla maintainers have confirmed that cybercriminals are already using automated tools to scan the internet and compromise vulnerable websites.
Joomla warned that even websites without public user registration are not protected from these attacks.
The organization emphasized that installing the security update only blocks future exploitation attempts. If attackers have already gained access to a website before the update was applied, the malicious files and backdoors they installed will remain active.
As a result, website owners should not only update their systems but also conduct a thorough security review to identify any unauthorized changes.
Cybersecurity researcher Phil E. Taylor from mySites.guru revealed that attackers are exploiting the flaw by importing a malicious editor profile and then deploying a web shell on the compromised server.
A web shell acts as a hidden backdoor, allowing attackers to maintain long-term access to the website even after the original vulnerability has been patched. Through these backdoors, threat actors can upload additional malware, steal sensitive data, modify website content, or launch further attacks against visitors.
To help detect possible compromise, Joomla has advised administrators to:
- Review all editor profiles for suspicious additions.
- Examine web server logs for unauthenticated requests.
Monitor requests targeting the profile import function:
index.php?option=com_jce&task=profiles.import
Federal Civilian Executive Branch (FCEB) agencies in the United States have been directed to apply the necessary patches by June 19, 2026, highlighting the seriousness of the threat.
The disclosure comes as security researchers continue to uncover multiple attack campaigns targeting WordPress websites.
Cybersecurity firm Sansec recently reported a supply chain attack affecting more than one million websites that use popular WordPress plugins such as OptinMonster, TrustPulse, and PushEngage.
In this campaign, attackers injected malicious JavaScript code into websites. The malware waits until a website administrator logs in before creating a hidden administrator account and installing a stealthy backdoor plugin.
This approach allows attackers to maintain access while remaining difficult to detect.
In a separate campaign, attackers compromised WordPress websites and installed a fake plugin called “Beloved PBN Entegrasyonu.”
The malicious plugin secretly communicates with an external server every time a webpage loads. It sends information about the compromised website and receives instructions to inject malicious HTML or JavaScript code into the site’s footer.
Researchers believe the attackers initially gained access through an unknown security weakness before deploying multiple PHP web shells on the server.
These web shells provide extensive control over the website and server environment. Attackers can:
- Read, modify, or delete files.
- Create new files and directories.
- Upload malicious content.
- Change file permissions.
- Browse server directories.
- Execute arbitrary commands.
Most concerning is that these actions can be performed without requiring additional authentication.
Beyond security risks, the campaign also has significant SEO consequences.
According to Sucuri researcher Puja Srivastava, every visitor to the compromised websites received hidden outbound links inserted into the page source code. These links were designed to support a Private Blog Network (PBN), a black-hat SEO technique used to manipulate search engine rankings.
Such unauthorized backlink injections can severely damage a website’s SEO performance and reputation.
Potential consequences include:
- Loss of search engine rankings.
- Reduced organic traffic.
- Manual penalties from Google Search Console.
- Damage to website credibility and user trust.
Researchers believe the operation is run by a Turkish-speaking threat actor and is focused on generating revenue through gambling and adult-affiliate marketing schemes.
Website administrators should take immediate action to reduce risk:
- Update Joomla JCE to version 2.9.99.5 or later.
- Review user accounts and editor profiles for suspicious activity.
- Scan websites for web shells and unauthorized PHP files.
- Audit server logs for unusual requests.
- Keep all CMS plugins and extensions updated.
- Implement Web Application Firewall (WAF) protection.
- Regularly back up website data and monitor file changes.
The active exploitation of CVE-2026-48907 highlights how quickly cybercriminals weaponize critical vulnerabilities once exploit code becomes publicly available. Joomla website owners should treat this issue as an emergency and apply patches immediately.
At the same time, the ongoing attacks against WordPress websites demonstrate that content management systems remain attractive targets for cybercriminals seeking persistent access, malware distribution, and SEO manipulation. Maintaining strong patch management practices and continuous security monitoring remains essential for protecting websites from increasingly sophisticated threats.
Interesting Article : CVE-2026-20253, Severe Splunk Vulnerability Puts Enterprise Servers at Risk