All stories
highExploited Vulnerabilities

CISA Urges Federal Agencies to Patch Exploited Joomla Plugin Vulnerability by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch a critical vulnerability in the Widget Factory Joomla Content Editor plugin by Friday. The flaw, actively exploited in the wild, allows attackers to execute arbitrary PHP code without authentication. Immediate action is required: update to JCE Pro 2.9.99.6 or later and conduct thorough site cleanups.

Harith Dilshan·Jun 17, 2026·4 min read·Primary source

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to patch a critical vulnerability in the Widget Factory Joomla Content Editor plugin, identified as being actively exploited. This flaw allows attackers to execute arbitrary PHP code by exploiting improper access controls within the JCE WYSIWYG editor plugin. CISA's Binding Operational Directive (BOD) 26-04 mandates immediate remediation of this high-risk vulnerability, emphasizing its inclusion in their Known Exploited Vulnerabilities Catalog.

What Happened

CISA has highlighted a severe flaw in the Widget Factory Joomla Content Editor (JCE) plugin that poses significant risks to federal agencies. The vulnerability allows unauthenticated users to create new editor profiles and upload PHP code for execution. This improper access control issue is being actively exploited, with public exploit codes available, making it imperative for affected sites to update immediately.

Technical Details

The core of the vulnerability lies in the JCE plugin's ability to allow unauthenticated users to manipulate editor profiles. By creating these profiles, attackers can upload and execute PHP code on Joomla deployments using this specific plugin version. The flaw has been addressed by the JCE team with the release of version 2.9.99.6, which patches the entry point but does not remove any malicious code previously uploaded.

Affected Products and Fixed Versions

The vulnerability affects all versions of the Widget Factory Joomla Content Editor (JCE) plugin up to 2.9.99.5. The recommended action is to update to version 2.9.99.6 or later, which resolves the identified security issue. Users must also take additional steps to clean their sites if they were compromised before updating.

Exploitation Status

The vulnerability has been publicly disclosed and exploited in automated attacks. CISA's inclusion of this flaw in its Known Exploited Vulnerabilities Catalog underscores its severity and the need for immediate action by affected organizations.

Indicators of Compromise

While specific indicators of compromise (IOCs) are not detailed, users should be vigilant for unauthorized editor profiles or unexpected PHP code uploads within their Joomla installations. Monitoring for unusual activity related to profile creation is advised.

Detection Opportunities

Security teams can detect potential exploitation attempts by monitoring for the creation of new editor profiles without proper authentication. Implementing logging and alert mechanisms around these actions can help identify suspicious activities early.

Remediation Steps

  1. Update: Immediately upgrade to JCE Pro 2.9.99.6 or later.
  2. Backup: Backup rogue profiles before updating.
  3. Clean Up: After updating, delete any attacker-created profiles.
  4. Change Passwords: Update all passwords related to the site, including administrator and database credentials.
  5. Scan for Malware: Conduct a full server-side malware scan to ensure no additional malicious tools remain.

Timeline

  • Early June: JCE team releases version 2.9.99.6 addressing the vulnerability.
  • June 16, 2026: CISA adds the flaw to its Known Exploited Vulnerabilities Catalog and issues a directive for federal agencies to patch by Friday.

Why This Matters for Defenders

This incident underscores the critical importance of timely patch management, especially for vulnerabilities actively exploited in the wild. Federal agencies must adhere to CISA's directives to mitigate risks effectively. The situation also highlights the need for comprehensive site cleanups post-exploitation to ensure no remnants of malicious code remain.

What Remains Unclear

While the vulnerability and its exploitation are well-documented, specific details about the threat actors or their motives remain unclear. Additionally, the full extent of affected deployments beyond federal agencies is not specified.

Defender Guidance

Federal agencies must prioritize patching this vulnerability by updating to JCE Pro 2.9.99.6 or later. Beyond immediate updates, a thorough site cleanup involving profile backups, password changes, and malware scans is essential to secure compromised sites fully. Agencies should also evaluate their internet exposure and adhere strictly to CISA's BOD 26-04 guidelines for risk-based vulnerability management.

Hashtags

#h4rithd #news #HarithDilshan #Joomla #CISA #CVE202649907 #VulnerabilityManagement

Sources

  1. https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday/
  2. https://nvd.nist.gov/vuln/detail/CVE-2026-48907
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907
  4. https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog
#ExploitedVulnerabilities#h4rithd#news#HarithDilshan#ExploitedVulnerabilities#CyberSecurity#InfoSec#ThreatIntel
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

highExploited Vulnerabilities

Attackers Exploit Critical Fortinet FortiSandbox Flaws for Unauthorized Code Execution

Jun 16, 2026 · 3 min readhighExploited Vulnerabilities

Critical Vulnerabilities in Joomla and LiteSpeed Lead to Active Exploitation, Urging Immediate Updates

Jun 16, 2026 · 3 min readcriticalExploited Vulnerabilities

Unauthenticated File Manipulation Flaw in Splunk Enterprise Exposes Critical Risk

Jun 13, 2026 · 3 min read