The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a severe warning, adding a maximum-severity security flaw impacting **Widget Factory Joomla Content Editor (JCE)** to its Known Exploited Vulnerabilities (KEV) catalog. The agency cites compelling evidence of active exploitation. The vulnerability, identified as **CVE-2026-48907** (CVSS score: 10.0), is an improper access control issue that could enable arbitrary code execution. **CISA** states that the **JCE** allows for the upload and execution of PHP code by creating new editor profiles for unauthenticated users. According to **CVE.org**, this flaw in the **JCE** editor extension for **Joomla** permits malicious actors to create new editor profiles without authentication, leading directly to PHP code upload and execution. The issue affects **JCE** versions from 1.0.0 through 2.9.99.4. A patch was released in version 2.9.99.5 on June 3, 2026. **Widget Factory**'s release notes confirm that "insufficient access controls permitted unauthenticated users to upload editor profiles." **Joomla** has underscored the urgency, stating, "The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe." They further cautioned that while updating closes the entry point, it does not clean an already compromised site. Users are advised to check for suspicious editor profiles and audit web server access logs for unauthenticated requests to `index.php?option=com_jce&task=profiles.import`. Phil E. Taylor of **mySites.guru** has reported that attackers are weaponizing the vulnerability to import rogue editor profiles and deploy web shells, establishing persistent backdoors on affected servers. Federal Civilian Executive Branch (**FCEB**) agencies have been mandated to apply the fixes by June 19, 2026.  ### Multiple Campaigns Target WordPress Sites This disclosure coincides with reports of new attack campaigns targeting **WordPress** installations. **Sansec** detailed a supply chain attack affecting over 1 million sites using **OptinMonster**, **TrustPulse**, and **PushEngage** **WordPress** plugins. Threat actors in this campaign injected malicious JavaScript designed to create backdoor admin accounts and install self-hiding backdoor plugins when a logged-in administrator visits the site. Another campaign involves unknown attackers compromising **WordPress** sites to embed a fake plugin named "Beloved PBN Entegrasyonu." This plugin silently beacons the site's URL to an external API on every page load and injects arbitrary HTML or JavaScript into the web page's footer. The exact method of initial breach for this latter campaign remains unclear. However, the access allowed attackers to stage two PHP web shells as raw executable code within the `wp_posts` database records. This granted them the ability to interact with the scripts over HTTP, facilitating unrestricted read/write access to the entire server file system without authentication. These database-resident payloads enable threat actors to perform a wide range of file actions, including reading, writing, editing, or deleting any file; browsing directories; changing file permissions; renaming files; creating new files and folders; and uploading files from their own computers. Puja Srivastava, a researcher at **Sucuri**, explained the impact: "Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site's search rankings and risking a manual penalty in Google Search Console." She concluded, "The campaign is operated by a Turkish-speaking threat actor and is built around a classic SEO monetization scheme: hidden backlink injection for a Private Blog Network (PBN), most likely tied to the gambling and adult affiliate niche."