SHIELD: ACTIVE // NETWORK SECURE

2026-07-08 - CMS Exploitation: CISA Warns of Active Exploits Targeting Dual 10/10 Joomla Page Builder Flaws

CMS Exploitation: CISA Warns of Active Exploits Targeting Dual 10/10 Joomla Page Builder Flaws

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive warning of active in-the-wild exploitation targeting two critical vulnerabilities in popular Joomla page builder extensions. Tracked as CVE-2026-48908 and CVE-2026-56290, both flaws carry a maximum possible CVSS severity score of 10.0/10 (10/10). These vulnerabilities affect SP Page Builder by JoomShaper and Page Builder CK by Joomlack, enabling unauthenticated remote attackers to upload malicious PHP files directly to vulnerable web roots to achieve Remote Code Execution (RCE). Under Binding Operational Directive (BOD) 22-01, CISA has ordered all federal agencies to immediately audit their environments and apply vendor patches by Friday, July 10, 2026, to prevent complete server takeovers.

Deep-Dive Technical Analysis

Content Management Systems (CMS) like Joomla and WordPress are widely deployed globally to power corporate portals, government websites, and e-commerce platforms. Because these systems often rely on third-party page builder extensions to simplify design workflows, any security flaws in these widely used plugins can serve as highly attractive, low-complexity entryways for automated scanning and exploitation campaigns.

A technical analysis of the dual 10/10 Joomla extension flaws reveals highly dangerous file upload paths:

1. The Core Defect in CVE-2026-48908 (SP Page Builder): This vulnerability affects SP Page Builder versions prior to 6.6.2. The flaw resides in the extension's custom icon upload function (index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon), which can be reached by unauthenticated remote clients. Because the endpoint lacks proper file-type and authentication checks, an attacker can send an unauthenticated HTTP POST request to upload a malicious PHP file. The application writes this file directly to a web-accessible directory, allowing the attacker to execute it via their browser, gaining RCE.

2. The Core Defect in CVE-2026-56290 (Page Builder CK): This second vulnerability affects Page Builder CK versions prior to 3.6.0. It involves an improper access control and unauthenticated arbitrary file upload defect in the page layout management system. Cybercriminals are actively exploiting this flaw to write multi-threaded web shells directly to the underlying server.

3. Planting Rogue Super User Accounts: Once code execution is successfully achieved, threat actors are deploying specialized backdoors. According to tracking firm mySites.guru, the attackers are leveraging their web shells to execute database commands that instantly insert a new, hidden Joomla Super User administrative account, granting them permanent, high-privilege access that survives plugin updates or standard file deletions.

Both flaws are highly attractive to attackers because they require no user interaction and no administrative privileges to execute.

Industry Impact and Recommendations

The active exploitation of dual 10/10 CVSS vulnerabilities in major CMS plugins presents an immediate threat of wide-scale automated website defacements, corporate database exfiltration, and malicious redirect deployments. Unpatched servers are routinely converted into malicious nodes for distributed denial of service (DDoS) networks or phishing hosts, threatening wider internet hygiene.

We recommend that all website administrators, hosting providers, and enterprise DevOps teams implement the following immediate mitigations:

* Apply Extension Patches Immediately: Immediately update JoomShaper SP Page Builder to version 6.6.2 or later and Joomlack Page Builder CK to version 3.6.0 or later. If you are utilizing these page builders on Umbraco or other environments, verify that all underlying CMS systems are updated.

* De-Authorize and Remove Unused Extensions: Conduct a thorough audit of your CMS directories. Completely uninstall and delete any legacy, unmaintained, or unused third-party plugins, components, or templates to reduce your web server's attack surface.

* Configure Web Application Firewalls (WAF): Deploy strict WAF rules to inspect incoming HTTP POST traffic targeting Joomla's plugin upload directories. Explicitly block any unauthenticated requests directed at com_sppagebuilder containing PHP file markers or suspicious custom icon assets.

* Deploy Web Root Integrity Monitoring: Implement file integrity monitoring (FIM) tools on your web servers configured to immediately alert and block the creation of any new executable files (specifically .php, .jsp, or .asp) inside web-accessible media, upload, or asset directories.

References:

* The Hacker News — CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws

* SecurityWeek — CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

Category: Cyber Security Intelligence