{"id":1341,"date":"2026-06-17T06:44:31","date_gmt":"2026-06-17T06:44:31","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1341"},"modified":"2026-06-17T06:44:31","modified_gmt":"2026-06-17T06:44:31","slug":"cisa-warns-of-actively-exploited-joomla-jce-flaw-allowing-php-code-execution","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1341","title":{"rendered":"CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 17, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Supply Chain Attack<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisS71RYEu_1Sts3eqAt878RoohdLgeUzyTbRQgFqUYQcwBxzKB1ug6AvOBRXqZvWcChuLVj6KFbIt7nO9RX66ZJZyMEIADvIXe-fdNDrQIYXGtcMt3StDzbK4lF9ZLpF9pqCR1cGEa4lLkFFRVqIyD5w0JqwhVgr-C9ga7pZ6IQWpFmbsojcsGePBnzsGW\/s1700-e365\/joomla.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/06\/16\/cisa-adds-one-known-exploited-vulnerability-catalog\">added<\/a> a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.<\/p>\n<p>The vulnerability, tracked as <b><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-48907\">CVE-2026-48907<\/a><\/b> (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution.<\/p>\n<p>\u00abWidget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users,\u00bb CISA <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">said<\/a>.<\/p>\n<p>According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The issue impacts JCE versions from 1.0.0 through 2.9.99.4. It has been patched in version 2.9.99.5, released on June 3, 2026. In its release notes, Widget Factory <a href=\"https:\/\/www.joomlacontenteditor.net\/support\/changelog\/editor#29995\">said<\/a> \u00abinsufficient access controls permitted unauthenticated users to upload editor profiles.\u00bb<\/p>\n<p>There is currently no information on how the vulnerability is being exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.<\/p>\n<h3>Multiple Campaigns Target WordPress Sites<\/h3>\n<p>The disclosure comes as Sansec <a href=\"https:\/\/thehackernews.com\/2026\/06\/popular-wordpress-plugin-scripts.html\">detailed a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that \u00abwaits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.\u00bb<\/p>\n<p>In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named \u00abBeloved PBN Entegrasyonu\u00bb that stealthily beaconed the site&#8217;s URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page&#8217;s footer.<\/p>\n<p>Exactly how the attackers breached the website is unclear, but the access is said to have enabled them to stage two PHP web shells as raw executable code with the \u00abwp_posts\u00bb database records and granted them the ability to interact with the scripts over HTTP. This, in turn, facilitated unrestricted read\/write access to the entire server file system without requiring any authentication.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Specifically, the database-resident payloads allow the threat actor to perform file actions, such as read, write, edit, or delete any file on the server, browse directories across the entire server, change file permissions, rename files, create new files and folders, and upload files from their own computer.<\/p>\n<p>\u00abEvery visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site&#8217;s search rankings and risking a manual penalty in Google Search Console,\u00bb Sucuri researcher Puja Srivastava <a href=\"https:\/\/blog.sucuri.net\/2026\/06\/wordpress-pbn-plugin-drops-dual-webshells-via-database-injection.html\">said<\/a>.<\/p>\n<p>\u00abThe campaign is operated by a Turkish-speaking threat actor and is built around a classic SEO monetization scheme: hidden backlink injection for a Private Blog Network (PBN), most likely tied to the gambling and adult affiliate niche.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 17, 2026Vulnerability \/ Supply Chain Attack The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE)&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1342,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[201,60,62,10,13,128,70,2073,2072,1067,148],"class_list":["post-1341","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actively","tag-allowing","tag-cisa","tag-code","tag-execution","tag-exploited","tag-flaw","tag-jce","tag-joomla","tag-php","tag-warns"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1341"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1341\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1342"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}