CISA directs agencies to fix critical Joomla plugin bug by Friday

The U.S. Cybersecurity and Infrastructure Security Agency has directed federal agencies to address a maximum-severity vulnerability in the Widget Factory Joomla Content Editor plugin that is reportedly being actively exploited in the wild.

CISA adds the flaw to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2026-48907, this issue allows unauthenticated threat actors to achieve remote code execution through low-complexity attacks that target Joomla sites running the JCE WYSIWYG editor plugin.

The agency placed the vulnerability on its Known Exploited Vulnerabilities list Tuesday and instructed Federal Civilian Executive Branch agencies to secure their systems by Friday in line with Binding Operational Directive 26-04.

JCE developers released patches in early June with urgent warnings. "Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA warned. The JCE security team fixed the problem with JCE Pro 2.9.99.6 and urged immediate updates because working exploit code is public, attacks are automated, and even sites without public registration remain at risk.

CISA noted that this category of flaw serves as a frequent attack vector for malicious cyber actors and creates significant risks to the federal enterprise. Agencies must follow applicable BOD 26-04 guidance for cloud services or stop using the product if mitigations are unavailable. Stakeholders bear responsibility for assessing each asset's internet exposure and complying with BOD 26-04 patching rules.

Remediation requires more than simply updating the plugin. The JCE team explained that patching blocks the entry point but does not remove any existing compromise. Administrators should first back up rogue profiles for investigation, then update to JCE 2.9.99.6 or later, delete the attacker's profile, change all passwords including those for the administrator account, the site's database, and the hosting account, and finally perform a full server-side malware scan.

BOD 26-04, issued last Wednesday, requires agencies to prioritize patching according to each vulnerability's exploitation risk. Key considerations include presence in CISA's Known Exploited Vulnerabilities Catalog, public exposure of vulnerable assets, potential for automated large-scale attacks, and the degree of system control granted to adversaries.

CISA previously ordered agencies to address similar actively exploited flaws in products from Ivanti, Gogs, and Apache ActiveMQ within tight deadlines.