JCE 2.9.99.4 security release

The JCE team has released JCE 2.9.99.4, an important security maintenance update that all Joomla website owners should install as soon as possible.

Two related security vulnerabilities were identified and resolved in both JCE Core and JCE Pro. According to the JCE developers, all previous versions are affected. The vulnerabilities could allow an authenticated Joomla user to access an Editor Profile they were not assigned to and perform file browser actions within that profile's permissions. A second issue involved a directory search function that could potentially expose folder listings outside the configured directory.

The JCE team confirmed that both issues have been fully resolved in version 2.9.99.4. Exploitation required an active authenticated Joomla session, unauthenticated access was not possible.

Update as soon as possible

We strongly recommend updating both JCE and JCE Pro to version 2.9.99.4 at the earliest opportunity.

As part of our Joomla maintenance service, we have already deployed this security update for all customers with an active Joomla maintenance contract, ensuring their websites are protected against these vulnerabilities.

Joomla 3, 4, 5 and 6 compatible

Good news for website owners running different Joomla versions: JCE Pro 2.9.99 is fully compatible with Joomla 3, Joomla 4, Joomla 5 and Joomla 6. In addition, JCE Pro 2.9.99.4 does not require the Backwards Compatibility plugin in Joomla 5 or Joomla 6, making upgrades and maintenance easier for site administrators.

If your website has not yet been updated, now is the time to do so.