"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA said.
CVE-2026-48907: scope, score, and the patch
The flaw is tracked as CVE-2026-48907 and carries a maximum CVSS score of 10.0. According to CVE.org and the vendor, the issue affects Widget Factory's Joomla Content Editor (JCE) in versions 1.0.0 through 2.9.99.4. Widget Factory released a patched build, version 2.9.99.5, on June 3, 2026; its release notes state that "insufficient access controls permitted unauthenticated users to upload editor profiles."
CISA adds the JCE flaw to the KEV catalog and orders federal fixes
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the JCE vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, citing evidence of active exploitation. CISA's action came with a directive for Federal Civilian Executive Branch (FCEB) agencies to apply fixes by June 19, 2026. The agency also noted that there is currently no public information describing how the vulnerability is being exploited in the wild.
How the vulnerability enables PHP upload and execution
Public descriptions attribute the root cause to improper access control inside the JCE extension for Joomla. The vulnerability permits the creation of new editor profiles for unauthenticated users; that capability can be leveraged to upload PHP code and then execute it. In short, an attacker who can create an editor profile without authenticating can use that profile as a vector to place and run PHP on the server hosting the editor.
Parallel activity: mass WordPress supply‑chain campaigns and web shells
The disclosure about JCE arrives alongside reports of large-scale WordPress-targeting campaigns. Security firm Sansec detailed a supply-chain attack that impacted more than 1 million sites using the OptinMonster, TrustPulse, and PushEngage plugins. In that campaign, malicious JavaScript waited for a logged-in administrator, created a backdoor admin account, and installed a self-hiding backdoor plugin.
Separately, researchers found a compromise that used a fake WordPress plugin named "Beloved PBN Entegrasyonu." That plugin beaconed the site's URL to an external API on every page load and injected arbitrary HTML or JavaScript returned by the server into the page footer. Attackers in that incident staged two PHP web shells as raw executable code inside the site's "wp_posts" database records and were able to interact with those scripts over HTTP. The database-resident payloads reportedly allowed the actors to read, write, edit, or delete any file on the server, browse directories, change permissions, rename files, create files and folders, and upload files from their systems without authentication.
Sucuri researcher Puja Srivastava summed up one consequence: "Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site's search rankings and risking a manual penalty in Google Search Console." Sansec characterized the operator as a Turkish-speaking threat actor running a classic SEO monetization scheme—hidden backlink injection for a Private Blog Network (PBN), likely tied to the gambling and adult affiliate niche.
What this means for FCEB agencies, Joomla site owners, and WordPress administrators
- FCEB agencies: The CISA KEV addition carries a compliance deadline—apply the JCE 2.9.99.5 patch by June 19, 2026, as ordered.
- Joomla site owners and administrators: The affected JCE range is 1.0.0 through 2.9.99.4; upgrading to 2.9.99.5 addresses the reported improper access control that permits unauthenticated profile creation and potential PHP upload/execution.
- WordPress administrators and security teams: Recent campaigns emphasize the risk of compromised plugins and database-resident payloads. Teams should examine plugin integrity, check for unexpected admin accounts and self‑hiding plugins, and audit wp_posts for suspicious executable payloads and outbound link injection.
CISA's placement of CVE-2026-48907 on the KEV list makes plain that attackers are active; what remains opaque is exactly how those actors are exploiting the bug in the wild. With a federal patch deadline of June 19 and a string of high-volume WordPress supply-chain intrusions running concurrently, the immediate task is straightforward: apply the JCE patch, hunt for signs of compromise such as rogue editor profiles or database-resident web shells, and verify plugin provenance. Beyond that, the record supplied so far leaves one concrete question: given CISA's evidence of active exploitation, how quickly and by what means are adversaries moving from profile creation to persistent, server‑level control?
