The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a severe vulnerability in the Widget Factory Joomla Content Editor (JCE). This flaw has been actively exploited and has been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is identified as CVE-2026-48907, with a maximum CVSS score of 10.0, indicating its critical nature.
Critical Security Flaw Details
The vulnerability stems from improper access control within the Joomla Content Editor, permitting unauthorized users to create new editor profiles. This loophole allows for the upload and execution of PHP code, posing a significant security threat. Versions 1.0.0 through 2.9.99.4 of the JCE are affected, with a patch available in version 2.9.99.5 as of June 3, 2026.
CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by June 19, 2026, to mitigate the risk. Despite the urgency, details about the specific exploitation methods remain undisclosed.
WordPress Sites Under Attack
Simultaneously, a new supply chain attack has been identified, targeting over a million WordPress sites. The attack focuses on plugins such as OptinMonster, TrustPulse, and PushEngage, where attackers inject malicious JavaScript. This code activates when an admin is logged in, creating a backdoor admin account and installing a hidden plugin.
Another campaign involves embedding a fake WordPress plugin called “Beloved PBN Entegrasyonu”. This plugin stealthily communicates with an external API and injects unauthorized HTML or JavaScript into the site, compromising its integrity.
Impact and Future Outlook
These security breaches allow attackers to gain extensive control over compromised sites, including file manipulation and server access without authentication. Such vulnerabilities not only threaten site security but also impact SEO rankings, as noted by Sucuri researcher Puja Srivastava. The injected outbound links can lead to penalties from Google, damaging the site’s visibility.
The campaigns, believed to be operated by Turkish-speaking threat actors, utilize hidden backlinks for Private Blog Networks (PBNs), likely connected to gambling and adult content niches. As these threats evolve, cybersecurity measures and prompt patching remain crucial in safeguarding digital assets.
