Skip to main content
mySites.guru

JCE Profiles Hack (12th June): Joomla sites running JCE are being actively exploited. Find and fix rogue profiles and webshells across every site.

JCE, a content editor for Joomla
Active exploitation · CVE-2026-48907

The JCE Profiles Hack

An unauthenticated flaw in Joomla's most-installed editor lets attackers import a rogue editor profile and drop a webshell on any site running JCE below 2.9.99.6. No login, fully automated, and the exploit is now public. mySites.guru finds it, and fixes it, across every Joomla site you manage.

Scan Your Joomla Sites Now See the tool
No credit card needed Joomla 3, 4, 5 & 6 supported Find and fix from one screen

28 May

2.9.99.4

Two authenticated bugs patched

3 Jun

2.9.99.5

CVE-2026-48907: unauthenticated file upload

8 Jun

2.9.99.6

Hardening release after a full audit

9 Jun

Exploit live

Working exploit code published on GitHub

What the JCE Profiles hack actually does

JCE's editor profiles decide which filetypes a user can upload and into which directories. That is normally a good thing: different user groups get different editor capabilities. The flaw, CVE-2026-48907, let an unauthenticated visitor import their own profile.

The attack chain is short. Import a rogue profile that re-enables php and txt uploads with MIME validation switched off, then use that profile to upload a webshell. The result is a persistent backdoor on the server, with no login required at any step.

We did not find this in a lab. We found it on live Joomla sites: a rogue profile built to allow file uploads, and a set of webshells dropped through it, still sitting on disk. It started with three sites in one portfolio. We have since seen hundreds, and with working exploit code published on GitHub on 9 June 2026, we expect thousands over the coming days. This is automated tooling spraying the same exploit at every JCE install it can reach, so a site with no public registration is not safe.

The JCE developer has since confirmed the same thing publicly: the vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe. The developer's reliable confirmation tell is in your web server access logs, where unauthenticated requests to index.php?option=com_jce&task=profiles.import mark when the site was first reached. That advisory links to this page for the full technical breakdown.

This is a Joomla-only issue. JCE has no WordPress build, so WordPress sites are unaffected.

How to spot a compromised site

The attack leaves the same fingerprint every time. Check three places: your editor profiles, the files on disk, and your access logs.

Editor profiles you did not create

Machine-generated names like J940401 or J938560, or blunt labels like "Pwned" with a description of "RCE via JCE". They are imported, so there is no matching admin action in your logs.

A profile forced to the top of the list

A large negative ordering value, often -99999, pins the rogue profile above your real ones so it takes effect. Legitimate profiles use normal positive ordering.

Script uploads enabled

The rogue profile lists php, phtml or txt in its upload filetypes with MIME validation switched off. That is the part that lets an attacker drop a webshell. allow_php on its own is not the signal.

Webshells dropped on disk

Unexpected PHP in tmp, media, images or the libraries tree. Look for hidden .xml.php droppers, eval(gzinflate(base64_decode(...))) blobs, shell_exec command shells, and small "Nxploited" marker files.

A two-request signature in your logs

A POST to task=profiles.import that creates the rogue profile, followed immediately by a POST to method=upload that drops the shell. Both return 200, both unauthenticated, often carrying an id=RCExxx marker.

It is automated, not targeted

This is a botnet spraying the same exploit at every JCE install it can reach. A site with no public registration is not safe, because the flaw needs no login at all.

Built into mySites.guru

Check for JCE Rogue Profiles & Backdoors

Hunting for this by hand, one administrator panel at a time across 40 client sites, is the kind of job that never actually gets done. So we built a check that does it for you, on every connected Joomla site, on every snapshot, twice a day.

  • Sits in the "Hacked?" section of each site's health view: a single OK, or a red count of threats.
  • Finds rogue editor profiles and the webshells they drop, scoped to this attack's fingerprint.
  • A permissive profile with allow_php on for legitimate reasons is not flagged. The discriminator is whether it lets you upload a script file.
  • Shows you every rogue profile and file first, with a plain-English reason, before anything is removed.
  • Remove the profiles, delete the backdoors, and update JCE to the patched version from the same screen.
See the tool in detail
Threats flagged in the Hacked section of the site health view
A clean result once the profiles are removed and JCE is patched
Detection built in, sharpened this week

mySites.guru was already catching this, and now goes further

The dedicated JCE check above is new. The detection underneath it is not. Every mySites.guru audit has always read every file in your webspace, line by line, including the dormant files a browser-based scanner never sees. The webshells this attack drops, the hidden .xml.php droppers, the obfuscated eval(gzinflate(base64_decode(...))) blobs, the shell_exec command shells, were already being flagged by the suspect content and hacked file scanning that runs on every snapshot: over 2,000 hand-written patterns and 14,000+ confirmed-hacked file hashes, updated daily. Even the fake JCE profile itself stood out, because of tells like the forced -99999 ordering no real profile ever uses.

What we built this week is a whole set of new tooling aimed squarely at this attack. A dedicated check that targets the specific known droppers and files from the JCE hack and reports them in their own "Hacked?" section, a one-click tool that removes a fake profile straight from the JCE profiles database, and the detection signatures behind both, all added in days. It is the difference between "your audit flagged some suspect files, go and read them" and "this is the JCE profiles attack, here is exactly what to remove, remove it now." If you want the detail on the two underlying signals and how to tell a real threat from a noisy one, the suspect content vs hacked files guide walks through it.

That is the pattern, not the exception. mySites.guru is, has been, and always will be updated daily with new features, tools, recipes and detection to match what agencies running Joomla, and WordPress, actually need as the threats move. When the next attack lands, the underlying scanning has usually already seen the shape of it, and a targeted tool follows close behind.

Every JCE install across your sites, grouped by version

Find every vulnerable install, then patch them in one batch

Cleaning up after a hit is only half the job. The other half is making sure none of your other sites are next. The extension search lists every site with JCE installed, grouped by version, so you can find anything still on a vulnerable build in seconds, then push the patch across every affected site with the mass updater instead of logging into each panel by hand.

2.9.99.6

Recommended target for every site. Hardening audit on top of every prior fix.

Patched

2.9.99.5

Closes CVE-2026-48907. Update again to 2.9.99.6.

Patched

2.9.99.4 and earlier

Carries the unauthenticated profile upload. Public exploit exists. Update, or apply the free patch if you cannot.

Vulnerable

2.7.x, 2.8.x

Carries the flaw and years of unpatched issues. The developer's free patch package covers these for sites that cannot update.

Vulnerable

2.6.x

Not affected in a default config: the profile import path is blocked. Still unsupported, so plan to migrate.

Not affected
Open the extension search

Stuck on an old Joomla or PHP version? There is a free patch

JCE 2.9.99.6 needs PHP 7.4 and Joomla 3.10 or later. For sites that genuinely cannot meet that yet, the JCE developer has released a free patch package that closes this vulnerability in JCE 2.7.x, 2.8.x and 2.9.x. JCE 2.6.x is not affected in a default configuration, but is unsupported and should still be migrated.

The patch is a stopgap, not a substitute for updating. It closes the vulnerability only, without the broader 2.9.99.6 hardening, and it does not clean a site that was already compromised. Back up and test on a copy first, and plan to move to a supported Joomla and PHP version. Updating remains the right answer wherever it is possible.

Download the free patch package

How it works

1

Connect your Joomla sites

Register for free and install the mySites.guru connector extension. It takes about two minutes per site, with no configuration required.

2

We scan for the JCE fingerprint

On every snapshot, twice a day, the check hunts for rogue editor profiles and the webshells they drop, across your whole portfolio at once.

3

Review, clean and patch

See every flagged profile and file, remove them, and update JCE to the patched version from the same screen. Then sweep the rest with the extension search.

Scan Your Joomla Sites Now

Free to start. No credit card required.

Already found a rogue profile?

Treat the site as compromised and work through these in order. Patch the entry point, or it just reinfects.

  1. 1

    Take a copy of the suspect profile and any suspect files first, as evidence, before you remove anything.

  2. 2

    Delete the rogue editor profile and every webshell it dropped.

  3. 3

    Update JCE to 2.9.99.6 so the entry point is closed. Removing files without patching invites reinfection.

  4. 4

    Rotate your Joomla secrets and passwords, and any reused credentials.

  5. 5

    Run a full file-level malware scan to confirm nothing else was dropped.

Want it handled for you? fix.mysites.guru offers same-day remediation at a flat rate.

Trusted by agencies managing Joomla at scale

Tim Heeley
Tim HeeleyWebAdmin
★★★★★

Comprehensive, innovative and a lifeline for anyone building and managing websites. The speed at which he acted with the JCE hack illustrates Phil's vigilance and speedy approach to developing security tools in real time.

Read more reviews
Doris Dreher
Doris DreherOwner of Webdesign Einfach schön...
★★★★★

Thank you so much for your fantastic tool. Without it, I would never have noticed the installation of the backdoor plugins so quickly, and the cleanup work is so much more efficient. Best regards. Doris

Read more reviews
Ben Thoma
Ben ThomaHinterhof Agentur
★★★★★

We manage around 100 Joomla projects and are very happy that mysites.guru takes so much work off our hands. This makes regular Joomla maintenance a profitable business for us.

Read more reviews

Common questions

What is the JCE Profiles hack?
It is a Joomla compromise that abuses the JCE editor's profile system. On a site running a JCE version before 2.9.99.5, an attacker imports a malicious editor profile that re-enables uploads of php and txt files, then uses that profile to upload a webshell. The underlying flaw is the unauthenticated profile upload patched in JCE 2.9.99.5 and tracked as CVE-2026-48907.
Is this exploitable without a login?
Yes. That is what makes it dangerous. CVE-2026-48907 needs no account at all, so "my site has no public registration" is not protection. An anonymous visitor can import the rogue profile and upload the shell. Since working exploit code was published on GitHub on 9 June 2026, anyone can run it, not just the original attackers.
How do I know if my Joomla site has been hit?
Look for editor profiles you did not create, especially ones with a machine-generated name, a large negative ordering value that forces them to the top, and upload filetypes that include php or txt. On disk, look for unexpected PHP files in tmp, media and images, hidden files named like .xml.php, and small marker files. Pulling access logs for unauthenticated requests to JCE's profile and upload endpoints confirms the entry point.
Which JCE versions are vulnerable?
All versions of JCE Free and JCE Pro before 2.9.99.5, down to the 2.7.x and 2.8.x branches. The unauthenticated profile upload was fixed in 2.9.99.5 on 3 June 2026, and a hardening release, 2.9.99.6, followed on 8 June 2026. Any site still on 2.9.99.4 or earlier carries the flaw, and 2.9.99.6 is the version the developer recommends for every site. JCE 2.6.x is the exception: the developer confirms it is not affected in a default configuration, because the unauthenticated profile import path is blocked and no guest-accessible profile exists by default. 2.6.x is still unsupported and may carry other unpatched issues, so plan to migrate it.
What if a site cannot update to 2.9.99.6?
2.9.99.6 needs PHP 7.4 and Joomla 3.10 or later. For sites that genuinely cannot meet that yet, the JCE developer has published a free patch package that closes this vulnerability in JCE 2.7.x, 2.8.x and 2.9.x. It is a stopgap: it fixes the vulnerability only, without the wider 2.9.99.6 hardening, and it does not clean a site that was already compromised. Back up and test on a copy first, and still plan to move to a supported Joomla and PHP version. Where updating is possible, update rather than patch.
Does enabling allow_php in a profile mean my site is hacked?
No. The allow_php setting governs whether PHP is allowed inside article content, not whether files can be uploaded. A legitimate, developer-created profile can have it on. The attacker signature is different: a profile that permits uploading php or txt files through the file browser, usually with an odd name and a forced ordering. Judge a profile by its upload filetypes and how it got there, not by allow_php alone.
How does mySites.guru find vulnerable JCE installs across many sites?
Two ways. The extension search lists every site with JCE installed, grouped by version, so you can find every install still on a vulnerable build in seconds rather than logging into each administrator panel, then patch them all in one batch with the mass updater. Separately, the Check for JCE Rogue Profiles & Backdoors check hunts for sites that were already hit, flagging rogue profiles and webshells across your whole portfolio on every twice-daily snapshot, and letting you clean and patch them from one screen.
What do I do first if I find a rogue profile?
Treat the site as compromised. Take a copy of the suspect profile and any suspect files for evidence, then delete the rogue profile and the webshells, update JCE to 2.9.99.6, rotate Joomla secrets and passwords, and run a full malware scan. Removing the files without patching JCE just invites reinfection, because the entry point is still open. If you would rather hand the cleanup to an expert, fix.mysites.guru offers same-day remediation at a flat rate.
Does this affect WordPress?
No. JCE is a Joomla-only editor extension with no WordPress build and no shared codebase. WordPress sites running the block editor or TinyMCE are unaffected. The profile-import mechanism that makes this attack work is specific to JCE on Joomla.

The full story, post by post

Finding, and fixing, the JCE Profiles hack

How we found it live, the IoCs in detail, and the new mySites.guru check.

JCE 2.9.99.5: the unauthenticated upload

CVE-2026-48907 explained, and why it must be patched now.

JCE 2.9.99.6: the hardening release

What a four-day audit changed, and why you still need it.

JCE 2.9.99.4: the authenticated bugs

The two earlier fixes that started the run of releases.

More ways mySites.guru protects your sites

Joomla Site Hacked?

Free file-level scan for compromised Joomla sites

Manage Multiple Joomla Sites

One dashboard for every Joomla site you run

Vulnerability Scanner

Automatic alerts for vulnerable extensions and plugins

Malware Scanner

Deep file-level scanning for backdoors and malware

Free Site Audit

Run a full health and security audit, free

WordPress Site Hacked?

Free security scan for compromised WordPress sites

Find the JCE hack before it finds your sites

Connect your Joomla sites and let mySites.guru hunt for rogue profiles and backdoors twice a day, then clean and patch them from one screen. Free to start.

Scan Your Joomla Sites Now
No credit card needed Joomla 3, 4, 5 & 6 Protecting Joomla since 2012