JCE Security Notice
If you received an email from me pointing you to this page, it is because your website appears to be running an out-of-date version of the Joomla Content Editor (JCE) plugin. This page explains why that matters and how to fix it.
Is this message legitimate?
Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it or exploit anything.
All I did was look at publicly visible files that your website serves to every visitor (the same way your homepage is public) and note the version number that the JCE plugin publishes in those files. Nothing about this check touches your data, your admin area, or any private part of your site.
If you would like to verify who I am, see the contact details at the bottom of this page and the About page.
Why this matters
The Joomla Content Editor is a very widely used editor plugin for the Joomla content management system. Older releases contain known security vulnerabilities. Attackers actively scan the internet for sites running these outdated versions, and a common outcome is website defacement: your pages get replaced or altered by someone who should not have access.
Because the vulnerable versions are well documented and easy to find, this is not a theoretical risk. The good news is that it is straightforward to fix, and upgrading closes the hole.
How to check your version
You do not have to take my word for which version you are running. If you have access to your Joomla administrator area:
- Log in to your Joomla admin (usually at
yourdomain.com/administrator). - Go to System then Manage then Extensions (or Extensions then Manage, depending on your Joomla version).
- Search for JCE and note the installed version.
Compare that against the latest release on the official JCE site (see below). If yours is older, you should upgrade.
How to upgrade
The safest path is to update through Joomla itself, and to back up first:
- Back up your site (files and database) before making changes. Most hosting providers offer one-click backups, or use a Joomla backup extension.
- In the Joomla admin, open Extensions then Manage then Update, and click Find Updates. If a JCE update is listed, install it from here.
- If no update appears there, download the latest release directly from the official JCE project at https://www.joomlacontenteditor.net and install it via Extensions then Install.
- After upgrading, confirm the new version number using the steps above, and check that your site loads and edits normally.
While you are in there, it is worth confirming that Joomla itself and your other extensions are up to date, since the same principle applies to all of them.
I do not have a webmaster / I am stuck
If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.
If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.
Contact
Evan Harris, Security Researcher
- Email: security@mail.mcpsec.dev
- X: @Evan__Harris
- GitHub: eharris128
I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.