CISA orders feds to patch max severity Joomla plugin flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild.

Tracked as CVE-2026-48907, this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.

"Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA warned on Tuesday.

The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible.

"If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe," it said.