|
⚠ Urgent Security Alert ⚠
|
 mySites.guru
|
| |
|
|
|
Active Exploitation
We are seeing active JCE Profiles attacks on Joomla sites TODAY!
We're writing because one or more of your Joomla sites on mySites.guru has JCE (Joomla Content Editor) installed. In the last 24 hours the JCE Profiles attack has gone from a handful of sites to thousands, and the shape of it says tens of thousands are coming. This is not a heads-up about a version to patch when you get a minute. It is a live attack, happening now, against the most widely installed Joomla editor there is.
The attack abuses an unauthenticated profile upload in JCE (CVE-2026-48907, patched in 2.9.99.5). With no login, an attacker imports a rogue editor profile that re-enables php and txt file uploads, then uses that profile to drop a webshell. We found it live on real sites this month, swept the rest of those portfolios, and found more. Now automated tooling is spraying the same exploit at every JCE install it can reach: python-requests user agents, the same throwaway profile names (J940401, Pwned) turning up again and again, identical config across sites that have nothing to do with each other. That is a botnet working through a list, not someone targeting you.
Whether your site allows registration makes no difference here. The entry point needs no account. A site with no public sign-up is exactly as exposed as one with thousands of users.
|
|
We built a tool for exactly this.
Check for JCE Rogue Profiles & Backdoors now runs on every mySites.guru snapshot, twice a day, on every connected Joomla site. It finds the rogue editor profiles and the webshells this attack drops, then lets you remove them and patch JCE from one screen. If your sites are connected, it is already looking.
|
|
|
|
What you need to do
|
1
|
Run the new check across your sites
Open any connected Joomla site in mySites.guru and look at the Hacked? section of the snapshot. A clean site shows OK. A compromised one shows a red threat count and an Investigate button that lists every rogue profile and malicious file it found. See exactly what the check looks for.
|
|
2
|
Update JCE to 2.9.99.6 on every site
Use the mySites.guru mass updater to patch every install in one batch rather than logging into each admin in turn. Both JCE Free and JCE Pro pull the update from the same JCE update server. Patching closes the entry point. Cleaning up the files without patching just invites the next round.
|
|
3
|
If you find a compromise, clean it properly
Take a copy of the rogue profile and files for evidence first, then remove them, patch JCE, rotate your Joomla secrets and passwords, and run a full scan. The blog post walks through the whole thing, including the file locations and access-log signatures to grep for.
|
See also: JCE's own 2.9.99.5 release announcement
|
|
|
Why this one is moving fast
An unauthenticated file upload in the most widely installed Joomla editor is exactly the kind of flaw automated tooling is built to chew through. There is no login to get past, no targeting to do, just a long tail of installs nobody has updated and a published exploit being sprayed at all of them. That is why the count has climbed from a handful of sites to thousands inside a day.
The difference this time is that you have a tool that finds it for you. That puts this in the same bracket as genuinely unauthenticated Joomla issues like Smart Slider 3 and Novarain Framework, not the authenticated-only JCE bugs we emailed about earlier. Patch today and check your sites, and it stops being your problem.
|
|
|
|
Not a mySites.guru subscriber yet?
Then this is all the more reason to sign up today. Connect your Joomla sites and the new Check for JCE Rogue Profiles & Backdoors runs automatically on every snapshot, twice a day, watching for this exact attack across your whole portfolio, and lets you patch every JCE install in one batch when it finds one.
|
|
|
|
|
