The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution.
“Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users,” CISA said.
According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution.
The issue impacts JCE versions from 1.0.0 through 2.9.99.4. It has been patched in version 2.9.99.5, released on June 3, 2026. In its release notes, Widget Factory said “insufficient access controls permitted unauthenticated users to upload editor profiles.”
There is currently no information on how the vulnerability is being exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
Multiple Campaigns Target WordPress Sites
The disclosure comes as Sansec detailed a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that “waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.”
In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named “Beloved PBN Entegrasyonu” that stealthily beaconed the site’s URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page’s footer.
Exactly how the attackers breached the website is unclear, but the access is said to have enabled them to stage two PHP web shells as raw executable code with the “wp_posts” database records and granted them the ability to interact with the scripts over HTTP. This, in turn, facilitated unrestricted read/write access to the entire server file system without requiring any authentication.
Specifically, the database-resident payloads allow the threat actor to perform file actions, such as read, write, edit, or delete any file on the server, browse directories across the entire server, change file permissions, rename files, create new files and folders, and upload files from their own computer.
“Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site’s search rankings and risking a manual penalty in Google Search Console,” Sucuri researcher Puja Srivastava said.
“The campaign is operated by a Turkish-speaking threat actor and is built around a classic SEO monetization scheme: hidden backlink injection for a Private Blog Network (PBN), most likely tied to the gambling and adult affiliate niche.”
