EXECUTIVE SUMMARY:
CVE-2026-48907 with a CVSS score of 10.0 is a critical improper access‑control flaw in the Widget Factory Joomla Content Editor (JCE) extension that affects versions 1.0.0 through 2.9.99.4; the vulnerability allows unauthenticated users to create new editor profiles via the index.php?option=com_jce&task=profiles.import endpoint, which in turn permits arbitrary PHP file upload and execution. An attacker can exploit this by sending a crafted HTTP request that imports a malicious editor profile containing a PHP web‑shell; no prior authentication or valid user session is required, and the exploit code is publicly available, enabling automated attacks against any Joomla site running a vulnerable JCE version. Once the payload is executed, the threat actor gains remote code execution, establishing a persistent backdoor that can be used to run commands, modify or delete files, and exfiltrate data from the server. The business impact includes complete compromise of the web application, potential data breach, loss of integrity, downtime, and reputational damage, especially for sites handling customer information or e‑commerce functions. Exploitation requires the site to expose the profile import interface to the internet and to run a vulnerable JCE version without additional hardening controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48907 with a CVSS score of 10.0 is a critical improper access‑control flaw in the Widget Factory Joomla Content Editor (JCE) extension that affects versions 1.0.0 through 2.9.99.4; the vulnerability allows unauthenticated users to create new editor profiles via the index.php?option=com_jce&task=profiles.import endpoint, which in turn permits arbitrary PHP file upload and execution. An attacker can exploit this by sending a crafted HTTP request that imports a malicious editor profile containing a PHP web‑shell; no prior authentication or valid user session is required, and the exploit code is publicly available, enabling automated attacks against any Joomla site running a vulnerable JCE version. Once the payload is executed, the threat actor gains remote code execution, establishing a persistent backdoor that can be used to run commands, modify or delete files, and exfiltrate data from the server. The business impact includes complete compromise of the web application, potential data breach, loss of integrity, downtime, and reputational damage, especially for sites handling customer information or e‑commerce functions. Exploitation requires the site to expose the profile import interface to the internet and to run a vulnerable JCE version without additional hardening controls.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html