{"id":274965,"date":"2026-06-17T06:09:00","date_gmt":"2026-06-17T10:09:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/17\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/"},"modified":"2026-06-17T18:46:20","modified_gmt":"2026-06-17T22:46:20","slug":"cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/17\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/","title":{"rendered":"CISA orders feds to patch max severity Joomla plugin flaw by Friday"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/\">CISA orders feds to patch max severity Joomla plugin flaw by Friday<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-17 06:09:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild.<\/p>\n<p>Tracked as CVE-2026-48907, this vulnerability can be exploited by threat actors without privileges to achieve code execution via low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.<\/p>\n<p>&#8220;Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users,&#8221; CISA warned on Tuesday.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/state-of-ai-report-970.jpg\" alt=\"image\" style=\"margin-top: 0px;\"\/><\/p>\n<p>The JCE security team addressed this in early June with the release of JCE Pro 2.9.99.6, warning users to patch their installation as soon as possible.<\/p>\n<p>&#8220;If you have not yet updated, please do so immediately. The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe,&#8221; it said.<\/p>\n<p>&#8220;One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind.&#8221;<\/p>\n<p>To clean compromised sites, users are advised to first back up the rogue profiles for further investigation, then update to JCE 2.9.99.6 or later, delete the attacker&#8217;s profile, change all passwords (including those for the administrator account, the site&#8217;s database, and the hosting account), and then run a full server-side malware scan to confirm no other malicious tools or implants were planted.<\/p>\n<p>On Tuesday, CISA added the vulnerability to its list of actively exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems by Friday, as required by Binding Operational Directive (BOD) 26-04.<\/p>\n<p>&#8220;This type of vulnerability is a frequent attack&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA orders feds to patch max severity Joomla plugin flaw by Friday https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":274966,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/06\/17\/Joomla.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,32,27],"class_list":["post-274965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274965"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=274965"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274965\/revisions"}],"predecessor-version":[{"id":274967,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274965\/revisions\/274967"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/274966"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=274965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=274965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=274965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}