A critical vulnerability in the Widget Factory Joomla Content Editor plugin allows unauthenticated attackers to upload and execute arbitrary PHP code by creating new editor profiles. This effectively grants full remote code execution on affected Joomla sites without requiring any login credentials. It has been added to the CISA Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild.

Security Architect’s Take: Audit all Joomla deployments across your environment and patch or disable the Widget Factory Content Editor plugin immediately. If Joomla sites are hosted on cloud infrastructure, treat any exposed instance as potentially compromised and review web application firewall rules to block unauthenticated POST requests to editor profile creation endpoints whilst patching is carried out.

Original advisory: CVE-2026-48907: Widget Factory Joomla Content Editor