The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the Joomla Content Editor (JCE) extension to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild.
Tracked as CVE-2026-48907, the flaw carries a maximum CVSS score of 10.0 and allows attackers to upload and execute malicious PHP code on vulnerable Joomla websites without authentication.
The vulnerability impacts a widely used Joomla extension and poses a significant risk to organizations that have not yet applied available security updates.
What Is CVE-2026-48907?
The vulnerability stems from an improper access control issue within the Joomla Content Editor (JCE) extension developed by Widget Factory.
According to security advisories, attackers can exploit the flaw to create unauthorized editor profiles, enabling them to upload and execute PHP files on affected servers.
Affected Versions
The vulnerability impacts:
- JCE versions 1.0.0 through 2.9.99.4
The issue has been fixed in:
- JCE version 2.9.99.5
Widget Factory released the patch on June 3, 2026, noting that insufficient access controls allowed unauthenticated users to upload editor profiles.
Active Exploitation Underway
Security researchers warn that the vulnerability is already being exploited by attackers using publicly available exploit code.
Even websites that do not allow public user registration remain vulnerable.
According to Joomla’s security advisory:
- Working exploit code is publicly available
- Attacks are largely automated
- Unpatched systems can be compromised without user interaction
Most importantly, simply installing the update does not remove malware or backdoors that may have already been deployed by attackers.
How Attackers Are Exploiting the Flaw
Researchers have observed attackers leveraging the vulnerability to import malicious editor profiles and deploy web shells onto vulnerable servers.
Once installed, these web shells provide persistent access, allowing threat actors to:
- Execute arbitrary commands
- Upload additional malware
- Modify website content
- Steal sensitive data
- Maintain long-term control over compromised servers
Security researcher Phil E. Taylor reported that attackers are actively weaponizing the flaw by uploading rogue editor profiles that facilitate web shell deployment.
Indicators of Compromise
Administrators are advised to:
- Review all JCE editor profiles for suspicious entries
- Inspect web server logs for unauthorized requests
- Monitor requests targeting:
index.php?option=com_jce&task=profiles.import
Federal Civilian Executive Branch (FCEB) agencies have been directed by CISA to patch affected systems by June 19, 2026.
Massive WordPress Supply Chain Attack Targets Over One Million Sites
The Joomla vulnerability disclosure comes as security researchers uncover multiple large-scale attacks targeting WordPress websites.
Researchers at Sansec revealed a supply chain compromise affecting more than one million websites using popular WordPress plugins, including:
- OptinMonster
- TrustPulse
- PushEngage
How the Attack Works
The attackers injected malicious JavaScript into affected websites.
The code remains dormant until a site administrator logs in. Once activated, it:
- Creates a hidden administrator account.
- Installs a stealth backdoor plugin.
- Maintains persistent access to the website.
Because the malicious code specifically targets administrators, infections can remain undetected for extended periods.
Fake WordPress Plugin Used for SEO Manipulation
In a separate campaign, threat actors compromised WordPress websites to deploy a fraudulent plugin called “Beloved PBN Entegrasyonu.”
The plugin silently communicates with an external server and injects malicious content into website pages.
Researchers discovered that the malware:
- Sends website information to attacker-controlled infrastructure
- Injects arbitrary HTML and JavaScript
- Modifies page content dynamically
- Operates without visible signs of compromise
Hidden Web Shells Found in WordPress Databases
The attackers also stored PHP web shells directly inside WordPress database records.
These payloads were embedded within the wp_posts table and could be remotely controlled through specially crafted HTTP requests.
This technique allowed attackers to avoid traditional file-based detection methods while maintaining unrestricted access to compromised servers.
Capabilities of the Database-Resident Backdoors
Once activated, the web shells provided attackers with complete control over the hosting environment.
Researchers observed capabilities including:
- Reading files across the server
- Creating and deleting files
- Uploading malicious content
- Modifying file permissions
- Renaming files and directories
- Browsing the entire file system
- Executing administrative actions remotely
Because the backdoors operate without authentication, attackers can retain access even if visible malware components are removed.
SEO Poisoning and Hidden Backlink Injection
The campaign appears to be financially motivated and focused on search engine manipulation.
Researchers found that compromised websites automatically injected hidden outbound links pointing to attacker-controlled domains.
The objective is to strengthen a private blog network (PBN) and artificially boost rankings for affiliate websites associated with high-profit industries.
Potential consequences for website owners include:
- Search engine ranking penalties
- Reduced organic traffic
- Manual actions in Google Search Console
- Reputation damage
- Loss of customer trust
Security analysts believe the operation is run by a Turkish-speaking threat actor and is likely linked to gambling and adult-affiliate monetization schemes.
Security Recommendations for Joomla and WordPress Administrators
Website owners should immediately take the following actions:
Joomla Users
- Upgrade JCE to version 2.9.99.5 or later
- Audit all editor profiles
- Search for unauthorized PHP files and web shells
- Review server logs for suspicious activity
- Conduct a full compromise assessment if exploitation is suspected
WordPress Users
- Verify the integrity of installed plugins
- Remove unknown administrator accounts
- Scan databases for malicious code injections
- Audit website source code for unauthorized JavaScript
- Monitor outbound network connections
- Implement file integrity monitoring
Final Thoughts
The active exploitation of CVE-2026-48907 highlights the ongoing threat posed by vulnerable content management systems and third-party plugins.
At the same time, the discovery of large-scale WordPress supply chain attacks demonstrates how cybercriminals continue to target website administrators through increasingly sophisticated methods.
Organizations running Joomla or WordPress environments should prioritize patch management, continuous monitoring, and routine security audits to minimize exposure and quickly detect signs of compromise before attackers establish persistent access.
