INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Widget Factory Joomla Content Editor Flaw Exploited
| 2026-06-17 15:18 CRITICAL HIGHExecutive Summary AI-generated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Widget Factory Joomla Content Editor (JCE), a popular content editor for the open-source Joomla platform, contains an improper access control vulnerability that could allow bad actors to create new editor profiles for unauthenticated users, ultimately resulting in arbitrary code execution. The vulnerability impacts JCE versions from 1.0.0 through 2.9.99.4 and has been patched in version 2.9.99.5, released on June 3, 2026. CISA orders federal agencies to fix the vulnerability by June 19, 2026.
Technical Mitigations AI-generated
* Implement secure coding practices, such as input validation and sanitization, to prevent the creation of new editor profiles for unauthenticated users.
* Regularly update and patch Joomla versions to ensure that known vulnerabilities are addressed before they can be exploited.
* Use a web application firewall (WAF) or intrusion detection system (IDS) to monitor incoming traffic and block malicious requests.
* Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the Widget Factory Joomla Content Editor.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-48907CVE-2026-48907
Target & Sectors
Global Scope
Incident Timeline
June 3, 2026
Threat actors used a known exploited vulnerability in Joomla Content Editor to target FCEB agencies by exploiting the flaw in the U.S. CISA catalog of Known Exploited Vulnerabilities.
Click on any entity below to view its context and source!
infrastructure
1.0.0
The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026.
infrastructure
2.9.99
The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026.
It has been patched in version 2.9.99.5, released on June 3, 2026.
observable
2.9.99.4
The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026.
Jun 17, 2026
Threat actors exploited a known vulnerability in U.S. CISA's Widget Factory Joomla Content Editor, compromising the software.
2026/06/17
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity security flaw in Widget Factory Joomla Content Editor to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation by unknown attackers who created new editor profiles for unauthenticated users via the JCE editor extension.
Click on any entity below to view its context and source!
infrastructure
1.0.0
The issue impacts JCE versions from 1.0.0 through 2.9.99.4.
infrastructure
2.9.99
The issue impacts JCE versions from 1.0.0 through 2.9.99.4.
organisation
JCE
“A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.” reads the advisory.
According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution.
organisation
PHP
“A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.” reads the advisory.
According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution.
organisation
CVE.org
According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution.
organisation
Widget Factory
In its release notes, Widget Factory
said
"insufficient access controls permitted unauthenticated users to upload editor profiles.
organisation
Multiple Campaigns Target WordPress
Multiple Campaigns Target WordPress Sites
The disclosure comes as Sansec
detailed
a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that "waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.
organisation
Sansec
Multiple Campaigns Target WordPress Sites
The disclosure comes as Sansec
detailed
a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that "waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.
organisation
OptinMonster
Multiple Campaigns Target WordPress Sites
The disclosure comes as Sansec
detailed
a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that "waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.
organisation
PushEngage WordPress
Multiple Campaigns Target WordPress Sites
The disclosure comes as Sansec
detailed
a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that "waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.
organisation
WordPress
"
In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named "Beloved PBN Entegrasyonu" that stealthily beaconed the site's URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page's footer.
organisation
API
"
In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named "Beloved PBN Entegrasyonu" that stealthily beaconed the site's URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page's footer.
organisation
HTML
"
In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named "Beloved PBN Entegrasyonu" that stealthily beaconed the site's URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page's footer.
organisation
PBN
"Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site's search rankings and risking a manual penalty in Google Search Console," Sucuri researcher Puja Srivastava
said
.
organisation
Google Search Console
"Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site's search rankings and risking a manual penalty in Google Search Console," Sucuri researcher Puja Srivastava
said
.
June 19, 2026
Threat actors used a known exploited vulnerability in the U.S. CISA's Widget Factory Joomla Content Editor to gain unauthorized access.
Click on any entity below to view its context and source!
attribution
FCEB
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
attribution
Federal Civilian Executive Branch
Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
Tactical Metrics
Metrics
infrastructure
1.0.0
Software Version
Click for context!
The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026.
The issue impacts JCE versions from 1.0.0 through 2.9.99.4.
Metrics
infrastructure
2.9.99
Software Version
The vulnerability impacts JCE versions 1.0.0 through 2.9.99.4, it was fixed in version 2.9.99.5, released on June 3, 2026.
The issue impacts JCE versions from 1.0.0 through 2.9.99.4.
It has been patched in version 2.9.99.5, released on June 3, 2026.
Intelligence Sources
The Hacker News
2026-06-17
Security Affairs
2026-06-17
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:27
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
JCE
entity
11x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
5x
timeline
Temporal Reference
June 3, 2026
date
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
infrastructure
Software Version
1.0.0
version
Contextual Telemetry
Context Block
4 METRICS
vulnerability
Exploited CVE
CVE-2026-48907
cve
vulnerability
CVSS Score
10
score
general metric
Jun
17
jun
general metric
Sites
1,000,000
sites
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.