U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability affecting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active exploitation in the wild. The flaw, tracked as CVE 2026 48907 and assigned the maximum CVSS severity score of 10.0, affects JCE versions from 1.0.0 through 2.9.99.4 and could allow attackers to execute arbitrary PHP code on vulnerable systems. Security experts have described the issue as an improper access control weakness that enables unauthenticated users to create new editor profiles and subsequently upload and execute malicious PHP files. The vulnerability has been addressed in JCE version 2.9.99.5, which was released on June 3, 2026. CISA’s decision to include the flaw in the KEV catalog highlights the urgency of remediation efforts, particularly as exploit code is publicly available and attacks have reportedly become automated.
According to Joomla and security researchers, threat actors are actively exploiting the flaw to gain unauthorised access to vulnerable websites. The weakness allows attackers to import malicious editor profiles that can then be used to deploy web shells, creating persistent backdoors on compromised servers. Security specialists warn that simply applying the software update does not remove malicious files or backdoors that may already have been installed before patching. Joomla has urged administrators to inspect their environments for suspicious editor profiles and carefully review web server logs for unauthenticated requests targeting the profile import function associated with the vulnerable component. Additional research revealed that attackers are leveraging the flaw to establish long term access to affected systems, creating opportunities for further malicious activity. In response to the growing threat, Federal Civilian Executive Branch agencies in the United States have been directed to implement the necessary updates by June 19, 2026, underscoring the seriousness of the vulnerability and its potential impact on public sector environments.
The disclosure comes alongside reports of multiple large scale campaigns targeting WordPress websites through supply chain compromises and malicious plugins. Cybersecurity firm Sansec disclosed a campaign that reportedly affected more than one million websites using popular WordPress plugins, including OptinMonster, TrustPulse, and PushEngage. Researchers found that attackers injected malicious JavaScript designed to remain dormant until a website administrator logged in. Once activated, the code created hidden administrative accounts and installed stealth backdoor plugins that allowed persistent access to compromised systems. Such attacks demonstrate the increasing focus on software supply chains as a method for reaching large numbers of victims through trusted platforms and widely deployed software components. Security experts noted that these campaigns highlight the risks associated with compromised third party software and the importance of maintaining continuous monitoring of website environments.
In a separate campaign, researchers identified a malicious WordPress plugin named “Beloved PBN Entegrasyonu” that was deployed on compromised websites. The plugin quietly transmitted website information to an external server and injected HTML or JavaScript code into page footers based on instructions received from attacker controlled infrastructure. Investigators determined that threat actors also deployed PHP web shells within WordPress database records, providing unrestricted access to server resources without requiring authentication. These capabilities allowed attackers to browse directories, modify files, upload malicious content, alter permissions, and manage server resources remotely. Researchers from Sucuri stated that every visitor to affected websites was exposed to hidden outbound links that could negatively impact search engine rankings and potentially trigger penalties from search providers. The activity has been linked to a Turkish speaking threat actor operating a search engine optimisation monetisation scheme focused on generating value through hidden backlink networks associated with gambling and adult affiliate content. The combined findings illustrate the continued evolution of web based attacks, where vulnerabilities, compromised plugins, and supply chain weaknesses are increasingly being used to gain persistent access and exploit website infrastructure on a large scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
