Security update JCE Editor
Joomla Content Editor (JCE) is a widely used editor in Joomla. An update for JCE edito was released on 18 October 2023: version 2.9.51. This update includes an important security update for all previous versions of JCE Editor Core and JCE Editor Pro.
It further improves support for Joomla 5, fixes an issue with the display of Media Fields, fixes several image processing issues when uploading, and fixes a number of other bugs and issues reported or discovered since the last update.
A malicious user could directly access and execute certain PHP files in the JCE Editor plugins folders. For example, this would allow a user to access the foo.php file in the components/com_jce/editor/plugins/foo folder.
This vulnerability does not allow users to upload a file or place it in a specific location. The file must already be on the server, for example placed there by another security issue in another extension or by a site/server vulnerability.
This JCE 2.9.51 update fixes the issue of unauthorised access and improves validation of existing files so that compromised files are not loaded.
We have updated JCE editor to this latest version for all our customers with a support contract.
Joomla 5 support
Support in JCE for Joomla 5 has been improved, eliminating the need for the Backwards Compatible plugin in Joomla 5 for JCE editor. JCE Pro and JCE Core are now fully compatible with Joomla 3, Joomla 4 and Joomla 5!
Source: JCE Pro 2.9.51 released