Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: joomla (2 articles)Clear

Critical Joomla JCE editor flaw actively exploited to run PHP code

A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.

Check
Identify Joomla sites using the JCE extension and confirm the version, then audit for unfamiliar editor profiles, suspicious PHP files in upload directories, new admin accounts, and profile-import requests in logs.
Affected
Joomla websites running JCE versions 1.0.0 through 2.9.99.4 (CVE-2026-48907); public-facing sites are being hit by automated attacks regardless of whether public registration is enabled.
Fix
Update JCE to 2.9.99.5 or later now. Since the update does not clean an already-compromised site, also hunt for web shells and rogue accounts, and rotate site, database, and hosting passwords.

Smart Slider 3 Pro update system hijacked - backdoored version pushed to 800,000+ WordPress sites via official channel

Attackers compromised Nextend's update infrastructure and pushed a fully weaponized version of Smart Slider 3 Pro (3.5.1.35) through the official WordPress and Joomla update channel on April 7. Sites with auto-updates enabled received a multi-layered remote access toolkit disguised as a legitimate plugin update. The malicious version was live for approximately six hours before detection. Patchstack's analysis found: unauthenticated remote command execution via crafted HTTP headers, a second authenticated backdoor with PHP eval and OS command execution, a hidden administrator account (prefixed wpsvc_) invisible in the admin interface, persistent backdoors planted in the active theme's functions.php and wp-config.php, and automated credential theft sent to an external server. Traditional defenses like firewalls, nonce verification, and role-based access controls are irrelevant here because the malicious code arrived through the trusted update channel. Affected sites should be considered fully compromised.

Check
Check if any of your WordPress or Joomla sites run Smart Slider 3 Pro. If you updated to version 3.5.1.35 on or after April 7, your site is compromised.
Affected
WordPress and Joomla sites running Smart Slider 3 Pro version 3.5.1.35 that updated between April 7, 2026 and detection ~6 hours later. The free version is not affected. Sites with auto-updates enabled were most at risk.
Fix
If you installed 3.5.1.35: restore from a backup dated April 5 or earlier (to account for time zones). If no backup is available: update to 3.5.1.36, remove the hidden admin user (check for wpsvc_ prefix), clean wp-config.php (remove WP_CACHE_SALT define), clean .htaccess (remove WPCacheSalt line), remove persistence files from theme's functions.php, delete backdoor files in /cache and /media directories, remove malicious wp_options entries (_wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source), reset all admin and database passwords, change FTP/SSH and hosting credentials, and enable 2FA for all admin accounts. Sites should be treated as fully compromised - credential theft means passwords are already in attacker hands.