The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch a critical security flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited by attackers.

Tracked as CVE-2026-48907, the maximum-severity vulnerability allows unauthenticated attackers to upload and execute malicious PHP code on vulnerable Joomla websites using the popular JCE WYSIWYG editor plugin.

According to CISA, the flaw stems from an improper access control issue that enables attackers to create new editor profiles and gain remote code execution without requiring any privileges.

The JCE security team fixed the vulnerability earlier this month with the release of JCE Pro 2.9.99.6 and urged users to update immediately. The team warned that publicly available exploit code and automated attacks mean even websites without public user registration remain at risk.

However, applying the update alone will not remove any malicious files or backdoors already installed on compromised systems. Administrators are advised to back up suspicious profiles for investigation, update to JCE 2.9.99.6 or later, delete unauthorized accounts, reset all passwords, and conduct a full server-side malware scan.

CISA added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog on Tuesday and ordered Federal Civilian Executive Branch agencies to secure affected systems by Friday under the requirements of Binding Operational Directive 26-04.

The agency warned that vulnerabilities allowing automated exploitation and remote control of internet-facing systems pose a significant risk to government networks and should be prioritized for immediate remediation.


Buy ExpressVPN with PayPal or Credit Card
READ
Iran Says Cyberattack Disrupted Services At Four Major Banks

Advertisement