"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA warned on Tuesday.
CISA orders Federal Civilian Executive Branch agencies to patch by Friday
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin to its list of actively exploited vulnerabilities and directed Federal Civilian Executive Branch (FCEB) agencies to secure affected systems by Friday under Binding Operational Directive (BOD) 26-04. CISA characterized the flaw as a frequent attack vector that "poses significant risks to the federal enterprise."
CVE-2026-48907: unauthenticated code execution via JCE editor profiles
The vulnerability, tracked as CVE-2026-48907, allows attackers with no privileges to achieve code execution through low-complexity attacks against Joomla deployments that use the JCE WYSIWYG editor plugin. The vendor and CISA both warned the vulnerability is being actively exploited in the wild and that working exploit code is publicly available. The JCE security team stated: "If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe."
JCE response: patch released and cleanup instructions
The JCE security team released JCE Pro 2.9.99.6 in early June to address the flaw and urged users to install the update without delay. The team also emphasized that patching mitigates the entry point but does not remove artifacts left by attackers: "One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind."
For sites that may have been compromised, the vendor recommends a sequence of actions: back up the rogue profiles for investigation, update to JCE 2.9.99.6 or later, delete the attacker's profile, change all passwords (including administrator, the site's database, and the hosting account), and run a full server-side malware scan to confirm no other malicious tools or implants remain.
BOD 26-04 compliance: assessment factors and operational choices
BOD 26-04—issued last Wednesday—requires agencies to prioritize patching based on each vulnerability's risk of exploitation. CISA listed key factors for that risk assessment: whether the flaw is included in CISA's Known Exploited Vulnerabilities Catalog; whether vulnerable assets are publicly exposed online; whether exploitation can be automated for large-scale attacks; and whether it grants attackers partial or total control of the targeted system. Agencies are instructed to "follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable."
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: install JCE Pro 2.9.99.6 or later immediately, inventory Joomla instances that include the JCE editor, and perform the vendor-recommended cleanup and full server-side malware scans if compromise is suspected.
- Procurement and cloud owners: evaluate each asset's internet exposure and apply BOD 26-04 guidance for cloud services or consider discontinuing the product where mitigations cannot be applied.
- End users and site administrators: treat sites with no public registration as vulnerable because attacks are automated and exploit code is public; change administrator, database, and hosting passwords after patching and follow cleanup steps if a compromise occurred.
CISA's directive makes clear this is an operational deadline, not a suggestion: agencies must patch quickly, but patching alone will not remediate prior intrusions. With exploit code public and automated attacks ongoing, the combination of rapid patching and careful forensic cleanup is the practical next step for any organization running the JCE editor.
