Widget Factory Joomla Content Editor Improper Access Control Vulnerability (CVE-2026-48907)

Severity Assessment

• Exploitability: 8.8/10
• Impact: 8.4/10
• Weaponization Risk: 8.7/10
• Patch Urgency: 9.5/10
• Detection Coverage: 5.8/10

Summary

CVE-2026-48907 is an improper access control vulnerability in Widget Factory’s Joomla Content Editor (JCE) extension for Joomla. CISA describes the issue as allowing upload and execution of PHP code through creation of new editor profiles by unauthenticated users. NVD records the vulnerability as CWE-284 and describes the same unauthenticated profile-creation path leading to PHP code upload and execution.

Widget Factory says JCE 2.9.99.5, released on 2026-06-03, patched the critical vulnerability in earlier versions, and JCE 2.9.99.6, released on 2026-06-08, added additional hardening. The vendor states that the vulnerability was actively exploited, public exploit code existed, and attacks were automated. For sites that cannot move to JCE 2.9.99.6 because of older PHP or Joomla dependencies, the vendor also published a stopgap patch package for JCE 2.7.x, 2.8.x, and 2.9.x while warning that the patch does not clean already compromised sites.

CISA added CVE-2026-48907 to the Known Exploited Vulnerabilities catalog on 2026-06-16 with a required action due date of 2026-06-19. CISA lists known ransomware campaign use as Unknown. Public sources reviewed for this draft do not identify a named threat actor, a confirmed victim count, or a campaign cluster; attribution is therefore Unknown.

Exploit Chain

Stage 1: Unauthenticated Access to the Profile Import Path

The vulnerable condition exposes JCE profile import behavior to unauthenticated users. The vendor directs defenders to search web server logs for requests to index.php?option=com_jce&task=profiles.import, which it identifies as the relevant profile import task.

Stage 2: Rogue Editor Profile Creation

An attacker can create or import an editor profile that was not created by the site owner. The vendor notes that rogue profiles may have automatically generated names and may be ordered near the top of the profile list.

Stage 3: Dangerous Upload Permissions

The attacker-controlled profile can permit upload of executable files, including PHP or other script files, through JCE plugin settings such as Image Manager or File Browser permitted file extensions.

Stage 4: PHP File Upload and Execution

With upload permissions changed, the attacker can upload executable content. The vendor specifically warns defenders to inspect image, media, and temporary directories for PHP files or files with PHP in the name, because the default upload location can be the images folder when no upload path is set.

Detection Guidance

1. Inventory Joomla sites using JCE and verify that JCE is updated to 2.9.99.6 or later, or that the vendor’s temporary patch package has been applied only where a full update is not immediately possible.
2. Inspect web server access logs for unauthenticated requests to index.php?option=com_jce&task=profiles.import; use the earliest matching entry to bound potential compromise timing.
3. Review Components -> JCE Editor -> Editor Profiles for profiles that site administrators did not create, especially profiles with meaningless names or unexpected ordering.
4. Check JCE plugin permitted file extension settings for PHP or other script types that should not be uploadable.
5. Search image, media, and temporary directories for unexpected PHP files or filenames containing PHP, including misleading names such as files ending in .php.xml.
6. Review frontend editor behavior for stripped-down toolbars or missing expected buttons, then correlate that symptom with profile and file-system evidence before treating it as confirmation.
7. If compromise is suspected, preserve copies of suspicious profiles and files before removal, rotate administrator, database, hosting, and FTP credentials, and run a server-side malware scan after patching the entry point.

Indicators of Compromise

Web and Application Indicators

• Unauthenticated requests to index.php?option=com_jce&task=profiles.import.
• Unexpected JCE editor profiles, especially profiles with automatically generated names or unusual ordering.
• JCE profiles configured to allow PHP or other executable script uploads.

Host and File Indicators

• PHP files in Joomla images, media, or temporary directories that site operators did not place there.
• Filenames in upload directories that contain PHP in misleading forms, such as *.php.xml.
• Uploaded files associated with a rogue JCE profile or with upload paths not used by legitimate site maintenance.

Administrative Indicators

• Front-end editor instances showing a stripped-down toolbar or missing expected toolbar buttons when paired with unfamiliar editor profiles.
• Administrator, database, hosting, or FTP credential use inconsistent with normal maintenance after the likely exploitation window.

Disclosure Timeline

2026-06-03 — JCE 2.9.99.5 released

Widget Factory released JCE 2.9.99.5 with a security fix for insufficient access controls that permitted unauthenticated users to upload editor profiles.

2026-06-05 — NVD record published

NVD published CVE-2026-48907 with a description of unauthenticated creation of new editor profiles leading to PHP code upload and execution, and recorded CWE-284.

2026-06-08 — JCE 2.9.99.6 hardening released

Widget Factory released JCE 2.9.99.6 with additional codebase review and hardening across input validation, access control, and file handling.

2026-06-12 — Vendor compromise guidance published

Widget Factory published remediation and compromise-check guidance, including the profile import log path, signs of rogue profiles, suspicious upload locations, and a temporary patch option for older JCE branches.

2026-06-16 — Added to CISA KEV

CISA added CVE-2026-48907 to the Known Exploited Vulnerabilities catalog with a required action date of 2026-06-19 and known ransomware campaign use listed as Unknown.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-16
• National Vulnerability Database: CVE-2026-48907 — National Vulnerability Database, 2026-06-05
• Widget Factory: JCE security update, and a free patch for older sites — Widget Factory, 2026-06-12
• Widget Factory: JCE Editor changelog — Widget Factory, 2026-06-08