Joomla JCE Flaw: Patch It, Then Check You Weren’t Already Hit
CISA has warned that a critical Joomla Content Editor vulnerability is being actively exploited. The flaw, CVE-2026-48907, carries the maximum CVSS score of 10.0, which is never the sort of score you want next to your CMS plugin.
The issue affects Widget Factory Joomla Content Editor versions 1.0.0 through 2.9.99.4. It allows unauthenticated attackers to create new editor profiles, which can then be abused to upload and execute PHP code.
That is a direct route to web shell deployment, server compromise and persistent access. In other words, not just “someone changed the homepage”, but “someone may now have a backdoor”.
Joomla has warned that attacks are automated and public exploit code exists. Importantly, even sites with no public registration are not automatically safe. Updating the extension closes the entry point, but it does not clean up anything attackers may already have dropped.
Administrators should upgrade to JCE 2.9.99.5 or later, then investigate. Check for suspicious editor profiles, audit web server logs for unauthenticated requests to the profile import task, and search for unexpected PHP files or web shells.
The wider lesson is that CMS extensions remain a favourite target because they often run with broad access and are not always patched as quickly as the core platform.
Treat this as patch-and-hunt, not patch-and-relax.