thehackernews.com web signal

Joomla JCE exploit active, CISA gives agencies 3 days

cybersecurity cve cisa-kev unauthenticated-rce

Key insights

  • CVE-2026-48907 gives unauthenticated attackers PHP code execution on all JCE versions from 1.0.0 through 2.9.99.4, with a CVSS score of 10.0.
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog June 16, giving federal agencies until June 19, 2026, to apply the patch.
  • The same disclosure covers supply chain attacks injecting malicious JavaScript into WordPress plugins OptinMonster, TrustPulse, and PushEngage.

Why this matters

CISA's June 19 deadline gives federal agencies just three days to patch -- a timeline most enterprise change-management processes cannot meet without emergency procedures. The simultaneous disclosure of supply chain attacks on OptinMonster, TrustPulse, and PushEngage signals threat actors are targeting the entire open-source CMS ecosystem, not just isolated Joomla deployments. For technical leaders managing web infrastructure, a CVSS 10.0 unauthenticated RCE paired with database-resident PHP web shells means a single unpatched instance can become a persistent, hard-to-detect foothold.

Summary

CVE-2026-48907 in Widget Factory's Joomla Content Editor (JCE) hit CISA's Known Exploited Vulnerabilities catalog June 16, with active exploitation confirmed in the wild. The CVSS 10.0 flaw lets unauthenticated attackers create editor profiles and execute arbitrary PHP code. All JCE versions 1.0.0 through 2.9.99.4 are vulnerable; the fix is version 2.9.99.5, released June 3. Essentially: (CISA, Widget Factory) -- unpatched JCE installs are live RCE targets. - Federal agencies must patch by June 19, 2026. - Concurrent supply chain attacks hit WordPress plugins OptinMonster, TrustPulse, and PushEngage via malicious JavaScript. Database-resident PHP web shells and SEO-monetized hidden backlinks complete the picture of a coordinated campaign against open-source CMS infrastructure.

Potential risks and opportunities

Risks

  • Joomla sites still running JCE versions 1.0.0 through 2.9.99.4 past June 19, 2026, face active, unauthenticated PHP code execution by actors already confirmed as exploiting CVE-2026-48907.
  • Federal agencies that miss the June 19 CISA deadline face compliance violations and potential mandatory incident reporting if compromise is discovered on unpatched systems.
  • WordPress operators running OptinMonster, TrustPulse, or PushEngage face visitor data theft or drive-by redirects if the malicious JavaScript injection from the concurrent supply chain attacks is not audited and removed.

Opportunities

  • Managed Joomla and WordPress hosting providers can differentiate immediately by auto-applying the JCE 2.9.99.5 patch and auditing plugin supply chains, turning a publicized emergency into a customer-retention event.
  • CMS security scanning vendors gain a concrete budget-unlock catalyst -- a named CVSS 10.0 CVE on CISA's KEV catalog -- to accelerate sales cycles at federal agencies and enterprises right now.
  • Incident response firms gain immediate pipeline from Joomla operators and federal agencies that missed the June 19 deadline or discovered active PHP web shell compromise via the described campaign.

What we don't know yet

  • Attribution behind the active exploitation of CVE-2026-48907 -- no threat actor, country-nexus, or infrastructure analysis is disclosed in the article.
  • Whether the Joomla JCE campaign and the WordPress plugin supply chain attacks on OptinMonster, TrustPulse, and PushEngage are linked to the same threat actor or are separate operations.
  • How many JCE installs globally remain on vulnerable versions 1.0.0 through 2.9.99.4 -- no installed-base count or global exposure estimate appears in the article.

Originally reported by thehackernews.com

Read the original article →

Original headline: CISA Adds Maximum-Severity Joomla JCE Flaw (CVSS 10.0) to Known Exploited Vulnerabilities Catalog — Unauthenticated PHP Code Execution Active in the Wild