The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has ordered federal agencies to prioritize patching a severe vulnerability in the **Widget Factory Joomla Content Editor (JCE)** plugin. This flaw, identified as **CVE-2026-48907**, is currently under active exploitation. ### Unauthenticated Code Execution Risk **CVE-2026-48907** allows threat actors to execute arbitrary code without requiring any prior authentication. The attacks are low-complexity, targeting Joomla deployments that utilize the JCE WYSIWYG editor plugin. CISA's warning highlights the severity: "Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users." ### Urgent Patch Released, Exploitation Underway The JCE security team addressed this critical flaw in early June with the release of **JCE Pro 2.9.99.6**. Users are strongly urged to update their installations immediately. "If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe," the JCE team warned. ### Post-Compromise Remediation Steps It's crucial to understand that merely updating the plugin will close the entry point but will not clean a site already compromised. For systems that may have been breached prior to patching, the following steps are advised: 1. **Backup** any rogue profiles for further investigation. 2. **Update** to **JCE 2.9.99.6** or a later version. 3. **Delete** any attacker-created profiles. 4. **Change all passwords**, including administrator accounts, database credentials, and hosting account passwords. 5. Conduct a **full server-side malware scan** to ensure no other malicious tools or implants remain. ### CISA's Directive and BOD 26-04 CISA has added **CVE-2026-48907** to its **Known Exploited Vulnerabilities Catalog**. Federal Civilian Executive Branch (FCEB) agencies are mandated to secure their systems by Friday, in accordance with **Binding Operational Directive (BOD) 26-04**. CISA emphasized the danger: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." Agencies are instructed to follow BOD 26-04 guidance for cloud services or discontinue product use if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and ensure adherence to patching guidelines. BOD 26-04, issued recently, requires U.S. government agencies to prioritize patching based on the risk of exploitation. Key factors include whether a flaw is in CISA's catalog, if vulnerable assets are publicly exposed, if exploitation can be automated for large-scale attacks, and if it grants partial or total control to attackers.