

The JCE Profiles Hack
An unauthenticated flaw in Joomla's most-installed editor lets attackers import a rogue editor profile and drop a webshell on any site running JCE below 2.9.99.5. No login, fully automated, and the exploit is now public. The current patched release is 2.9.99.8. mySites.guru finds it, and fixes it, across every Joomla site you manage.
3 Jun
2.9.99.5
CVE-2026-48907: unauthenticated file upload
8 Jun
2.9.99.6
Hardening release after a full audit
16 Jun
CISA KEV
Added to CISA's exploited-vulnerabilities catalog
18 Jun
2.9.99.7
Fixes the 2.9.99.6 upload regression, adds a group whitelist
2 Jul
2.9.99.8
Maintenance release, current version. File Browser never lists php, js or exe
What the JCE Profiles hack actually does
JCE's editor profiles decide which filetypes a user can upload and into which directories. That is normally a good thing: different user groups get different editor capabilities. The flaw, CVE-2026-48907, let an unauthenticated visitor import their own profile.
The attack chain is short. Import a rogue profile that re-enables php and txt uploads with MIME validation switched off, then use that profile to upload a webshell. The result is a persistent backdoor on the server, with no login required at any step.
We did not find this in a lab. We found it on live Joomla sites: a rogue profile built to allow file uploads, and a set of webshells dropped through it, still sitting on disk. It started with three sites in one portfolio. We have since seen hundreds, and with working exploit code published on GitHub on 9 June 2026, we expect thousands over the coming days. This is automated tooling spraying the same exploit at every JCE install it can reach, so a site with no public registration is not safe.
The JCE developer has since confirmed the same thing publicly: the vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe. The developer's reliable confirmation tell is in your web server access logs, where unauthenticated requests to index.php?option=com_jce&task=profiles.import mark when the site was first reached. That advisory links to this page for the full technical breakdown.
On 16 June 2026, the US government's cyber agency, CISA, added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog, listed as the "Widget Factory Joomla Content Editor Improper Access Control Vulnerability". CISA only adds a flaw to that catalog when it has evidence of active exploitation in the wild, so this is independent, government-grade confirmation of what we and the developer were already seeing. The catalog comes with a remediation deadline for US federal agencies, and while that directive binds only those agencies, CISA urges every organisation to treat a KEV-listed flaw as a patch-now priority. If a government agency is being told to drop everything and patch this, the older Joomla sites in your portfolio are not the exception.
This is a Joomla-only issue. JCE has no WordPress build, so WordPress sites are unaffected.
Watch: check and clean a JCE-hacked Joomla site
Basic Joomla Tutorials walks through spotting the JCE Profiles hack and cleaning it up with mySites.guru.
Tim Davis publishes clear, no-nonsense Joomla guides on his Basic Joomla Tutorials channel. If you run Joomla, it is well worth a subscribe.
How to spot a compromised site
The attack leaves the same fingerprint every time. Check three places: your editor profiles, the files on disk, and your access logs.
Editor profiles you did not create
Machine-generated names like J940401 or J938560, or blunt labels like "Pwned" with a description of "RCE via JCE". They are imported, so there is no matching admin action in your logs.
A profile forced to the top of the list
A large negative ordering value, often -99999, pins the rogue profile above your real ones so it takes effect. Legitimate profiles use normal positive ordering.
Script uploads enabled
The rogue profile lists php, phtml or txt in its upload filetypes with MIME validation switched off. That is the part that lets an attacker drop a webshell. allow_php on its own is not the signal.
Webshells dropped on disk
Unexpected PHP in tmp, media, images or the libraries tree. Look for hidden .xml.php droppers, eval(gzinflate(base64_decode(...))) blobs, shell_exec command shells, and small "Nxploited" marker files.
A two-request signature in your logs
A POST to task=profiles.import that creates the rogue profile, followed immediately by a POST to method=upload that drops the shell. Both return 200, both unauthenticated, often carrying an id=RCExxx marker.
It is automated, not targeted
This is a botnet spraying the same exploit at every JCE install it can reach. A site with no public registration is not safe, because the flaw needs no login at all.
Check for JCE Rogue Profiles & Backdoors
Hunting for this by hand, one administrator panel at a time across 40 client sites, is the kind of job that never actually gets done. So we built a check that does it for you, on every connected Joomla site, on every snapshot, twice a day.
- Sits in the "Hacked?" section of each site's health view: a single OK, or a red count of threats.
- Finds rogue editor profiles and the webshells they drop, scoped to this attack's fingerprint.
- A permissive profile with allow_php on for legitimate reasons is not flagged. The discriminator is whether it lets you upload a script file.
- Shows you every rogue profile and file first, with a plain-English reason, before anything is removed.
- Remove the profiles, delete the backdoors, and update JCE to the patched version from the same screen.
mySites.guru was already catching this, and now goes further
The dedicated JCE check above is new. The detection underneath it is not. Every mySites.guru audit has always read every file in your webspace, line by line, including the dormant files a browser-based scanner never sees. The webshells this attack drops, the hidden .xml.php droppers, the obfuscated eval(gzinflate(base64_decode(...))) blobs, the shell_exec command shells, were already being flagged by the suspect content and hacked file scanning that runs on every snapshot: over 2,000 hand-written patterns and 14,000+ confirmed-hacked file hashes, updated daily. Even the fake JCE profile itself stood out, because of tells like the forced -99999 ordering no real profile ever uses.
What we built this week is a whole set of new tooling aimed squarely at this attack. A dedicated check that targets the specific known droppers and files from the JCE hack and reports them in their own "Hacked?" section, a one-click tool that removes a fake profile straight from the JCE profiles database, and the detection signatures behind both, all added in days. It is the difference between "your audit flagged some suspect files, go and read them" and "this is the JCE profiles attack, here is exactly what to remove, remove it now." If you want the detail on the two underlying signals and how to tell a real threat from a noisy one, the suspect content vs hacked files guide walks through it.
That is the pattern, not the exception. mySites.guru is, has been, and always will be updated daily with new features, tools, recipes and detection to match what agencies running Joomla, and WordPress, actually need as the threats move. When the next attack lands, the underlying scanning has usually already seen the shape of it, and a targeted tool follows close behind.
Find every vulnerable install, then patch them in one batch
Cleaning up after a hit is only half the job. The other half is making sure none of your other sites are next. The extension search lists every site with JCE installed, grouped by version, so you can find anything still on a vulnerable build in seconds, then push the patch across every affected site with the mass updater instead of logging into each panel by hand.
2.9.99.8
Current recommended release. A maintenance update on top of the security fixes: the File Browser now never lists php, js or exe files, plus fixes for folder-restricted Media Fields and special-character filenames.
2.9.99.7, 2.9.99.6, 2.9.99.5
Close CVE-2026-48907, the follow-up audit, and the 2.9.99.6 upload regression. Safe, but update to 2.9.99.8 for the latest fixes.
2.9.99.4 and earlier
Carries the unauthenticated profile upload. Public exploit exists. Update, or apply the free patch if you cannot.
2.7.x, 2.8.x
Carries the flaw and years of unpatched issues. The developer's free patch package covers these for sites that cannot update.
2.6.x
Not affected in a default config: the profile import path is blocked. Still unsupported, so plan to migrate.
Beware of some of the other free solutions
A wave of quick "JCE hack fixer" scripts has appeared, most of them clearly written by AI in an afternoon. They look reassuring. They are not enough.
Most of these tools do one thing: delete the rogue editor profile and remove a handful of dropper files that have been seen in a few well-known locations. That addresses the very basics, and nothing more. They do not take into account the security of the whole site, and they ignore the most important fact about this attack: once a hacker has uploaded dropper files, they have already had the run of your server.
A dropper is not the end of the attack, it is the beginning. With those files in place, an attacker can do all kinds of damage and manipulation: add extra super administrators so they keep access after you patch, upload even more files in directories no quick script thinks to check, modify legitimate files to reinfect on a schedule, or download your entire database, customer data and all. A tool that removes one known profile and three known files leaves every one of those open.
The only thing that actually clears a site is a tool that monitors continuously and brings a full suite of checks to bear, taking a comprehensive, whole-site look at the install and how well it holds to best practice: every file read line by line, rogue administrators surfaced, suspect content flagged, extensions checked for known vulnerabilities, and the entry point patched so it cannot happen again. For Joomla, the only tool that does all of that in one place is mySites.guru.
Stuck on an old Joomla or PHP version? There is a free patch from the official JCE Project
The current JCE releases need PHP 7.4 and Joomla 3.9 or later. For sites that genuinely cannot meet that yet, the JCE developer has released a free patch package that closes this vulnerability in JCE 2.7.x, 2.8.x and 2.9.x. JCE 2.6.x is not affected in a default configuration, but is unsupported and should still be migrated.
The patch is a stopgap, not a substitute for updating. It closes the vulnerability only, without the broader hardening in 2.9.99.6 and later releases, and it does not clean a site that was already compromised. Back up and test on a copy first, and plan to move to a supported Joomla and PHP version. Updating remains the right answer wherever it is possible.
Download the free patch packageHow mySites.guru helps you fix the JCE Hack
Connect your Joomla sites
Register for free and install the mySites.guru connector extension. It takes about two minutes per site, with no configuration required.
We scan for the JCE fingerprint
On every snapshot, twice a day, the check hunts for rogue editor profiles and the webshells they drop, across your whole portfolio at once.
Review, clean and patch
See every flagged profile and file, remove them, and update JCE to the patched version from the same screen. Then sweep the rest with the extension search.
Free to start. No credit card required.

Back the developerRun JCE? Buy JCE Pro and fund the fixes
The single best thing you can do for JCE's security is pay for it. A JCE Pro subscription is €39 a year, renewals from €29, and it directly funds the work that closed this vulnerability so quickly. When the attack surfaced, the developer shipped 2.9.99.5, a hardening release in 2.9.99.6, a follow-up in 2.9.99.7, a maintenance release in 2.9.99.8, and a free patch for older sites, all in a matter of weeks. That responsiveness is exactly what a paid subscription keeps running.
Pro is also a better editor for the sites you build. You get the media manager, an AI assistant, layout columns, advanced paste cleanup, custom styles, microdata for SEO, and a monitored support forum, on top of the priority security updates. If JCE is part of your Joomla stack, this is the kind of small-developer tool that is well worth paying for.
For the source of truth on every JCE security update, read the developer's official news page, including the advisory on this vulnerability and the free patch. Straight from the developer, not filtered through third parties.
From €39/year · renewals from €29 · monitored support forum
JCE is not a mySites.guru product. JCE Pro is bought from, and supported by, the JCE developer, separately from and in parallel to any mySites.guru subscription.
Think you are immune? Joomla's own official sites were hit too
If you are tempted to assume this only happens to neglected sites run by people who never patch, look at what it did to the most prominent Joomla properties there are. The hack did not stop at one site. extensions.joomla.org, the official Joomla Extensions Directory that every Joomla administrator visits to find and install extensions, was taken down and replaced with a bare 503 Maintenance holding page. So were community.joomla.org and certification.joomla.org, all serving the same maintenance page at the same time.
Sit with that for a second. These are not hobbyists' abandoned brochure sites. They are flagship properties run by the Joomla project itself, maintained by people who know Joomla security better than almost anyone, on infrastructure that is watched closely. JCE is one of the most-installed editors in the Joomla world, so any site running it was about as exposed to this attack as a site could be, and exposure plus an unauthenticated, fully automated exploit is all it takes.
The botnet spraying this exploit does not check who owns a site or how competent its administrators are before it fires. It finds a reachable JCE install, imports the rogue profile, drops the shell, and moves on. A 503 maintenance page is what the cleanup looks like from the outside. "My sites are well looked after" and "I would have noticed" are not the protection they feel like, because this needs no login, leaves no failed-login trail, and lands on every reachable install at once.
If the Joomla project's own extensions directory, community site, and certification site can all be taken offline by it at once, the handful of older Joomla sites sitting quietly in your portfolio absolutely can be too. The only thing that actually protects a site is the JCE version it is running, and the only way to know that across a whole portfolio, without logging into every administrator panel by hand, is to have something watching all of them for you.
Already found a rogue profile?
Treat the site as compromised and work through these in order. Patch the entry point, or it just reinfects.
- 1
Take a copy of the suspect profile and any suspect files first, as evidence, before you remove anything.
- 2
Delete the rogue editor profile and every webshell it dropped.
- 3
Update JCE to 2.9.99.8 so the entry point is closed. Removing files without patching invites reinfection.
- 4
Rotate your Joomla secrets and passwords, and any reused credentials.
- 5
Run a full file-level malware scan to confirm nothing else was dropped.
Want it handled for you? fix.mysites.guru offers same-day remediation at a flat rate.
Trusted by agencies managing Joomla at scale
Comprehensive, innovative and a lifeline for anyone building and managing websites. The speed at which he acted with the JCE hack illustrates Phil's vigilance and speedy approach to developing security tools in real time.
Read more reviewsThank you so much for your fantastic tool. Without it, I would never have noticed the installation of the backdoor plugins so quickly, and the cleanup work is so much more efficient. Best regards. Doris
Read more reviewsWe manage around 100 Joomla projects and are very happy that mysites.guru takes so much work off our hands. This makes regular Joomla maintenance a profitable business for us.
Read more reviewsCommon questions
What is the JCE Profiles hack?
Is this exploitable without a login?
Has CISA flagged this vulnerability?
How do I know if my Joomla site has been hit?
Which JCE versions are vulnerable?
What if a site cannot update to 2.9.99.8?
Does enabling allow_php in a profile mean my site is hacked?
How does mySites.guru find vulnerable JCE installs across many sites?
What do I do first if I find a rogue profile?
Does this affect WordPress?
The full story, post by post
Finding, and fixing, the JCE Profiles hack
How we found it live, the IoCs in detail, and the new mySites.guru check.
JCE 2.9.99.5: the unauthenticated upload
CVE-2026-48907 explained, and why it must be patched now.
JCE 2.9.99.6: the hardening release
What a four-day audit changed, and why you still need it.
JCE 2.9.99.4: the authenticated bugs
The two earlier fixes that started the run of releases.
More ways mySites.guru protects your sites
Joomla Site Hacked?
Free file-level scan for compromised Joomla sites
Manage Multiple Joomla Sites
One dashboard for every Joomla site you run
Vulnerability Scanner
Automatic alerts for vulnerable extensions and plugins
Malware Scanner
Deep file-level scanning for backdoors and malware
Free Site Audit
Run a full health and security audit, free
WordPress Site Hacked?
Free security scan for compromised WordPress sites
Find the JCE hack before it finds your sites
Connect your Joomla sites and let mySites.guru hunt for rogue profiles and backdoors twice a day, then clean and patch them from one screen. Free to start.
Scan Your Joomla Sites Now