CVE-2026-48907

What is Joomla Content Editor (JCE)?

Joomla Content Editor (JCE) is the most widely installed third-party extension for the Joomla CMS, with millions of active installations across news portals, government websites, educational institutions, and e-commerce storefronts. It replaces Joomla's default TinyMCE editor with a richer WYSIWYG experience that includes a file manager, image editor, and media upload capabilities. Because JCE runs with Joomla's full filesystem and database access, and because compromising a Joomla site provides a server foothold as the web server user, it is a perennial target for automated exploitation campaigns.

Overview

CVE-2026-48907 is an improper access control vulnerability (CWE-284) in JCE's editor profile import handler. A handler that should be restricted to administrators can be reached by any unauthenticated visitor — including anonymous guests. The handler accepts a file upload but fails to enforce file extension restrictions, allowing a PHP webshell disguised with a double extension (.xml.php) to be written to the web-accessible filesystem. Exploitation requires only three HTTP requests and yields remote code execution as the web server user.

CISA added CVE-2026-48907 to the KEV catalog on June 16, 2026, the same week the PoC was published. The JCE vendor confirmed automated botnet exploitation: "attacks are automated and widespread." The flaw echoes CVE-2012-2902, a nearly identical JCE vulnerability from 2012 that compromised tens of thousands of Joomla sites.

Affected Versions

JCE 2.9.99.5 introduced the security fix. JCE 2.9.99.6 shipped a regression; Widget Factory recommends upgrading directly to 2.9.99.7. Older JCE branches (1.x, 2.x pre-2.9.99) are patched separately via the free security patch available at joomlacontenteditor.net.

Technical Details

The vulnerability chains three weaknesses in the profile import handler, reachable at:

POST /index.php?option=com_jce&task=profiles.import

Weakness 1 — Missing authorization: The handler validates the presence of a CSRF token but never checks whether the requesting user is an administrator or even logged in. Any visitor can obtain a valid CSRF token from any Joomla page (it is embedded in public-facing forms), satisfying the only access check.

Weakness 2 — File extension not validated: JCE uses File::makeSafe() to sanitize uploaded filenames, which strips special characters and null bytes but does not filter file extensions. A double-extension filename such as payload.xml.php passes the sanitizer intact — JCE treats the name as safe because .xml appears valid, while the server will execute it as PHP due to the trailing .php extension.

Weakness 3 — Upload safety explicitly disabled: The upload call passes $allow_unsafe = true:

File::upload($source, $destination, false, true);

This disables Joomla's built-in file type safety checks at the framework level, ensuring the PHP file is written unconditionally.

Three-request exploit chain (documented by YesWeHack/ywh-jfellus):

1. GET / — retrieve any Joomla page to extract a valid CSRF token from the HTML
2. POST /index.php?option=com_jce&task=profiles.import — submit a multipart form with the CSRF token and the .xml.php webshell file; JCE writes it to a temporary or upload directory under the webroot
3. GET /tmp/<uploaded-file>.xml.php?cmd=id — execute arbitrary OS commands as the web server user

The attack surface is any internet-facing Joomla site with JCE installed — no account, no brute force, no prior access required.

Discovery

The vulnerability was discovered and reported by YesWeHack researcher ywh-jfellus, who published a full technical write-up and proof-of-concept on June 10, 2026. Phil Taylor of mySites.guru independently contributed forensic analysis of compromised sites, identifying attacker IOCs and behavior patterns seen in the wild.

Widget Factory silently patched the issue in JCE 2.9.99.5 on June 3, 2026, before public disclosure. The advisory and free patch for older branches were published June 9.

Exploitation Context

Exploitation was underway before the public advisory was issued and accelerated after PoC release. The JCE vendor's advisory explicitly states: "attacks are automated" — botnets were scanning for and exploiting vulnerable JCE installs within days of the silent patch.

Phil Taylor's forensic analysis of compromised sites identified the following indicators of compromise:

• Rogue editor profiles named with the pattern J[0-9]{6} (e.g., J482931) in the #__wf_profiles database table
• Uploaded webshells with .xml.php extensions in /tmp/, /images/, and /media/ directories
• Marker file named Nxploited written to the webroot on successfully backdoored sites
• Attacker IPs observed at time of disclosure: 107.149.130.5, 92.38.150.143, 45.153.129.241

Historical precedent underscores the scale of risk: CVE-2012-2902, a nearly identical JCE file upload flaw from 2012 with the same root cause (missing auth on the profiles endpoint), compromised tens of thousands of Joomla sites before being patched.

Remediation

1. Upgrade JCE immediately: Update to Joomla Content Editor 2.9.99.7 (skip 2.9.99.6, which introduced a regression). In the Joomla Extensions Manager, JCE should appear with an available update.
2. Apply the free security patch for older branches: If running a JCE version before 2.9.99, download the security patch from joomlacontenteditor.net/downloads/editor/security-patch/ and install it via the Joomla installer.
3. Scan for rogue profiles: Query the Joomla database for editor profiles matching the pattern J[0-9]{6}:

   SELECT * FROM #__wf_profiles WHERE title REGEXP '^J[0-9]{6}$';
   

   Delete any entries found and treat the site as compromised.
4. Search for uploaded webshells: Scan the site's /tmp/, /images/, /media/, and upload directories for files with .xml.php, .php5, .phtml, or other PHP-executable extensions. Remove any found and rotate all credentials.
5. Hunt for the Nxploited marker: Check the webroot for a file named Nxploited. Its presence confirms successful exploitation.
6. Review web server logs: Search for POST requests to index.php?option=com_jce&task=profiles.import from unexpected IP addresses and for subsequent GET requests to uploaded .xml.php files.
7. Restrict JCE profile management: If the attack surface cannot be patched immediately, consider disabling the JCE component via Joomla's Extensions Manager (Extensions → Manage → Disable) until patching is complete.