CISA Adds Critical Joomla Vulnerability to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting the Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog. This move, announced on Tuesday, June 17, 2026, signifies that the vulnerability has been actively exploited in the wild, posing an immediate threat to organizations using the affected software.
The vulnerability, designated as CVE-2026-48907, carries the highest possible CVSS score of 10.0, indicating a maximum severity. It stems from an improper access control issue that can be leveraged to execute arbitrary code on vulnerable systems. CISA’s advisory explicitly states that the flaw allows for the upload and execution of PHP code by creating new editor profiles for unauthenticated users.
The vulnerability specifically impacts versions of the JCE editor for Joomla ranging from 1.0.0 up to 2.9.99.4. Widget Factory has addressed this security gap with the release of version 2.9.99.5 on June 3, 2026. According to the company’s release notes, the issue was caused by insufficient access controls that inadvertently permitted unauthenticated users to upload editor profiles to the system.
Currently, details regarding the specific methods or extent of this vulnerability’s exploitation remain limited. However, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must implement the necessary security patches by June 19, 2026, to mitigate the risk.
Broader Trends: Supply Chain Attacks Continue to Threaten WordPress Ecosystem
The inclusion of the JCE vulnerability in CISA’s KEV catalog highlights a persistent and evolving threat landscape, particularly concerning supply chain attacks. These attacks often target widely-used software components and plugins, allowing threat actors to compromise numerous systems indirectly.
Recent WordPress Compromises Detail Sophisticated Attack Vectors
Concurrently, Sansec has shed light on a significant supply chain attack campaign that has potentially impacted over one million websites utilizing popular WordPress plugins: OptinMonster, TrustPulse, and PushEngage. Threat actors in this campaign are reported to be injecting malicious JavaScript code. This code lies dormant until it detects a logged-in administrator, at which point it creates a backdoor administrative account and installs a stealthy backdoor plugin.
In a separate, yet equally concerning incident, unknown attackers have been observed compromising WordPress sites to deploy a deceptive WordPress plugin masquerading as “Beloved PBN Entegrasyonu.” This plugin would covertly transmit the compromised site’s URL to an external API with every page load. Furthermore, it injected arbitrary HTML or JavaScript received from the server into the website’s footer, altering content and potentially redirecting users or executing malicious scripts.
The exact entry point for these attackers remains unclear. However, the access gained reportedly allowed them to embed two PHP web shells as raw executable code within the “wp_posts” database records. This level of access granted them unrestricted read and write capabilities across the entire server file system, bypassing authentication requirements.
According to Sucuri researcher Puja Srivastava, these database-resident payloads empower the threat actor to perform a wide range of file operations, including reading, writing, editing, and deleting any file on the server. They can also browse server directories, modify file permissions, rename files, create new files and folders, and upload files from their own machines.
“Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site’s search rankings and risking a manual penalty in Google Search Console,” Srivastava noted. The campaign is believed to be orchestrated by a Turkish-speaking threat actor and is rooted in a classic SEO monetization strategy, focusing on hidden backlink injection for Private Blog Networks (PBNs), likely catering to the gambling and adult affiliate markets.
The ongoing prevalence of these sophisticated supply chain attacks underscores the critical need for continuous vigilance and prompt patching of all software components. Organizations must remain aware of emerging threats and prioritize robust security practices, including regular vulnerability scanning and the immediate application of security updates, to safeguard their digital assets against increasingly complex cyber threats.