The Widget Factory Joomla Content Editor (JCE) plugin contains an improper access control vulnerability (CVE-2026-48907) that enables unauthenticated attackers to upload and execute arbitrary PHP code by creating new editor profiles. This vulnerability is actively exploited in automated attacks targeting Joomla deployments using the JCE WYSIWYG editor. The JCE security team released version 2.9.99.6 to fix this issue. CISA has added this vulnerability to its actively exploited vulnerabilities list and issued a Binding Operational Directive (BOD 26-04) requiring federal agencies to patch by a specified deadline. The vulnerability allows code execution without privileges via low-complexity attacks.

Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code on affected Joomla sites, potentially leading to full system compromise. The vulnerability is actively exploited with public exploit code and automated attacks, increasing the risk of widespread compromise. Compromised sites may retain attacker-created profiles and malicious implants even after patching, requiring thorough cleanup.

A patch is available in JCE Pro version 2.9.99.6. Users should update immediately to this version or later. For sites already compromised, update the plugin, back up and investigate rogue editor profiles, delete attacker profiles, change all relevant passwords (administrator, database, hosting), and perform a full server-side malware scan to ensure no residual malicious code remains. CISA requires federal agencies to prioritize patching per BOD 26-04. If mitigations are unavailable, discontinuing use of the vulnerable product is advised.