The point: CVE-2026-48907 in Joomla JCE enables unauthenticated code execution with CVSS 10.0 and is being actively exploited, while large-scale WordPress attack campaigns run parallel through manipulated plugins.
The US cybersecurity agency CISA has added the vulnerability CVE-2026-48907 in Joomla Content Editor (JCE) to its catalog of actively exploited vulnerabilities. The vulnerability with CVSS 10.0 allows attackers to execute PHP code without authentication.
The vulnerability results from insufficient access control in the Widget Factory Joomla Content Editor. Attackers can enable the upload and execution of PHP code by creating new editor profiles without needing to authenticate. Affected are JCE versions 1.0.0 through 2.9.99.4.
The security patch was already released on June 3, 2026 with version 2.9.99.5. Due to active exploitation, US federal agencies were mandated to install the update by June 19, 2026. CISOs should immediately check Joomla installations with JCE for risk and initiate an update to the patched version.
In parallel, security researchers from Sansec documented a large-scale campaign against over one million WordPress websites. Users of the plugins OptinMonster, TrustPulse, and PushEngage are affected. Attackers inject JavaScript code that waits for administrator login attempts in order to subsequently establish an administrative backdoor account and install a hidden plugin.
Another variant uses a counterfeit plugin named Beloved PBN Entegrasyonu. This sends the website URL to an external server with each page view and injects retrieved code into the footer area. According to Sucuri’s analysis, this access enabled attackers to place PHP webshells directly in WordPress database entries and thereby gain full read and write access to the file system.
The campaigns are attributed to a Turkish-speaking threat actor and serve an SEO monetization model: compromised websites are supplemented with links from private blog networks (PBN), which can lead to search result penalties and cause economic damage to website operators.
Source: www.it-daily.net · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.