The Cybersecurity and Infrastructure Security Agency (CISA) of the US has ordered government agencies to patch a critical flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is widely exploited in the wild.
Tracked as CVE-2026-48907, this vulnerability can be exploited by malicious actors without code execution privileges with sophisticated attacks targeting Joomla implementations that use the JCE WYSIWYG editor plugin.
“Widget Factory Joomla Content Editor contains an arbitrary access control vulnerability that could allow the upload and execution of PHP code through the creation of new editor profiles for unauthorized users,” CISA warned on Tuesday.
The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible.
“If you haven’t updated yet, please do so immediately. The vulnerability is being exploited, the exploit code is public, and the attack is automated, so a site that is not publicly registered is not safe,” it said.
“One important point: the update closes the entry point but doesn’t clean up the already compromised site. If you were hit before the update, the update won’t remove what the attacker left behind.”
In order to clean up corrupted sites, users are advised to first make a copy of malicious profiles for further investigation, then update to JCE 2.9.99.6 or later, delete the attacker’s profile, change all passwords (including those of the administrator account, site database, and hosting account), and then run a full server-side malware scan to ensure that there are no other tools the plant is dangerous.
On Tuesday, CISA added the vulnerability to its list of exploitable vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems by Friday, as required by Binding Operational Directive (BOD) 26-04.
“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” the cybersecurity agency warned yesterday. “Follow the applicable guidelines of BOD 26-04 for cloud services or stop using the product if mitigation is not available. Participants are responsible for assessing the Internet exposure of each asset and ensuring adherence to the amendment guidelines of BOD 26-04.”
CISA BOD 26-04 was issued last Wednesday and requires US government agencies to prioritize remediation based on each risk of exploitation.
Important factors to consider when assessing vulnerability include whether the flaw is included in the CISA catalog known as Exploited Vulnerabilities, or the vulnerable assets are publicly exposed on the Internet, or whether the exploit can be automated in a large-scale attack, and whether it gives the attackers partial or complete control of the target system.
Security teams penetrate 54% of successful attacks and monitor 14%. Others walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
