Forum Moderators: open

Joomla JCE exploit

If you run Joomla you need to make sure you secured

         

mack

4:57 pm on Jun 24, 2026 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



A recent exploit has left a large number of Joomla installs vulnerable to an exploit through the JCE editor. It should be noted that JCE is not a core component of Joomla, but is a very popular third-party addon.

The exploit works by allowing a remote machine to upload files to your web space without any form of authentication. Once the script files are uploaded, they can then be accessed directly over HTTP.

Various bad actirs are using this exploit for different purposes, but any Joomla install that is not running an up-to-date version of the JCE editor is vulnerable. You should log in and run an update as soon as possible to protect your system from this exploit.

If you have been targeted, there are a number of ways you can resolve the issue. It all comes down to what has been uploaded and what the installed code is trying to do. In most cases, the code will be encrypted, so it's basically impossible to determine what is going on. I have seen some sites simply go offline, some have been sending spam, some have been redirected to scam websites, and others appear to be infected, but are not doing anything YET.

Back up your site and download a local copy. I do not recommend unzipping the backup on your local machine.

If your control panel supports backups, I recommend you take advantage of them. Idealy you want to restore from a backup that is older than the exploit. That way, you are not simply restoring to a version that was already infected.

You can scan your website using web host provided software such as AVClam and ImunifyAV. This can be useful to see what files it has flagged before and after your recovery. Only attempt to reuse data that does not get flagged as containing malware.

Another stage I highly recommend doing is changing your MySQL user password and Joomla admin password. Any file that was uploaded had the ability to read and forward your configuration file. It also has access to MySQL. You should consider all details within the configuration file as accessed and known.

One specific site I had to restore was showing a PHP process creating files in /tmp, yet the file creating the files did not exist. It turns out the file was created, executed in a loop and deleted. The process was in effect still running, but was only running in memory and not on disk, so malware scanners did not identify it on the file system.

If you are unable to recover your site or if the files keep coming back, you should copy public_html to public_html2, then recreate public_html and place a maintenance page within public_html. Having an exploit running on your site and not being able to stop it can be very harmful to your reputation.

At this point, seek assistance from your web hosting provider.

Mack,