The JCE attack is rolling straight into the weekend

A quick follow-up to last week's alert, because this one has not died down. The JCE Profiles attack is still live, and it has got worse. What started as one piece of automated tooling is now several separate botnets, all hammering Joomla sites that are still on an old version of JCE, and they will keep going right through the weekend.

The flaw is an unauthenticated profile upload in JCE (CVE-2026-48907, patched in 2.9.99.5). With no login at all, an attacker imports a rogue editor profile that re-enables php and txt uploads, then uses it to drop a webshell. Working exploit code went public on GitHub on 9 June. Now anyone can run it, and plenty of people are. We are watching the same throwaway profile names and identical configs land on sites that have nothing to do with each other, which is the signature of a botnet working through a list, not someone coming for you specifically.

Whether your site allows registration makes no difference. The entry point needs no account, so a site with no public sign-up is exactly as exposed as one with thousands of users. If you run Joomla and have JCE installed, this is your weekend job.

See how mySites.guru finds and fixes it

Everything below is also on the JCE Hack page – the indicators, the version table, and the fix

Credit where it's due: Ryan has handled this brilliantly

I want to single out Ryan, the JCE developer, because his response to all this has been spot on. He shipped the emergency fix in 2.9.99.5 on 3 June to close the unauthenticated upload, then spent four days auditing the whole editor and shipped 2.9.99.6 on 8 June as a hardening release on top. That is not patching the one hole and hoping for the best; that is going back through the code and tightening up around it too.

And here's the part I really rate. 2.9.99.6 needs PHP 7.4 and Joomla 3.10 or later, which plenty of older sites cannot meet yet. Rather than leave those people stuck, Ryan has published a free patch package that closes this same vulnerability on the old 2.7.x, 2.8.x and 2.9.x branches. Free, for software a lot of those owners stopped paying for years ago. That is him looking after the whole Joomla community, not just his paying customers.

One caveat worth saying plainly: the free patch is a stopgap. It closes the vulnerability, but it does not include the wider 2.9.99.6 hardening, and it will not clean a site that has already been hit. Where you can update, update. Where you genuinely cannot, patch.

Read Ryan's update and grab the free patch

What to do this weekend

Update JCE to 2.9.99.6 on every site

This is the single most important thing. Use the mySites.guru mass updater to push 2.9.99.6 across every install in one batch rather than logging into each admin one at a time. Both JCE Free and JCE Pro pull the update from the same server. Patching closes the entry point. If a site is stuck on PHP 7.3 or Joomla 3.9 and cannot reach 2.9.99.6, apply Ryan's free patch in the meantime.

Run our JCE check across your sites

Patching stops the next attempt, but if a botnet already got in last week, the update alone will not show you that. Check for JCE Rogue Profiles & Backdoors runs on every mySites.guru snapshot, twice a day, on every connected Joomla site. Open a site and look at the Hacked? section: clean shows OK, compromised shows a red threat count with an Investigate button that lists every rogue profile and webshell it found. If your sites are connected, it is already looking.

If you find a compromise, clean it properly

Take a copy of the rogue profile and any dropped files for evidence first, then remove them, patch JCE, rotate your Joomla secrets and passwords, and run a full scan. The JCE Hack page walks through the whole thing, including the exact file locations and access-log signatures to grep for.

Then audit the whole site, because patching is only phase one

This is the bit people skip, and it matters. Updating JCE and deleting the obvious droppers closes the door and clears the mess you can see. It does not tell you what happened while the door was open. A webshell gives an attacker full, unrestricted run of your web space. If they wanted to, they could quietly add their own admin user, slip a second backdoor into a file you would never think to check, leave behind latent hacker dust that wakes up weeks later, or in the worst case wipe every file you have. Removing the one shell you found does nothing about any of that.

So treat a hit as a reason to check everything, not just the JCE bits. The mySites.guru tools you already have do exactly this: they audit every single file in the web space for inconsistencies, known backdoor signatures, suspect content and bad practice, so you can find the things a botnet leaves behind that have nothing to do with the profile it came in through. Here's how to sweep a site for hacks and backdoors from one screen.

Open the JCE Hack page

The full story, if you want the detail

JCE 2.9.99.6: the hardening release, after a full audit

JCE 2.9.99.5: the unauthenticated upload, explained

Found a hacked site? I can clean it

Phil Taylor – Fixing websites since 2004

If the check turns up a rogue profile and a webshell and you would rather not deal with it yourself, that is exactly what I do. Same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues

Get expert help today

If I can't add value, you don't pay

mySites.guru

Website management since 2012

You're receiving this because your mySites.guru account has one or more Joomla sites with JCE (Joomla Content Editor) installed, the extension targeted by the attack described above.

Unsubscribe