TL;DR: CISA added two CVSS 10.0 Joomla Page Builder vulnerabilities to the Known Exploited Vulnerabilities catalog on July 7, 2026, with a Federal Civilian Executive Branch remediation deadline of July 10. CVE-2026-48908 (JoomShaper SP Page Builder unrestricted file upload) and CVE-2026-56290 (Joomlack Page Builder improper access control) both allow unauthenticated attackers to upload PHP files and plant hidden Super Administrator accounts — typically with an @secure.local email — plus a PHP file manager backdoor for persistence. For the thousands of NC small business, nonprofit, and church websites still running on Joomla, the risk today is not vandalism but silent super-admin persistence that stays live for months.
Key takeaway: Joomla still powers a meaningful share of NC SMB, nonprofit, and religious-organization websites. Two simultaneous CVSS 10.0 unauthenticated file-upload flaws in the two most popular Joomla page builders is a mass-compromise event. The federal deadline was Friday. Every unpatched Joomla site is now presumed backdoored until an incident-response review proves otherwise.
Need help auditing your Joomla website for the Super Administrator backdoor and rebuilding a hardened stack? Contact Preferred Data Corporation — BBB A+ rated, 37+ years of NC IT expertise, on-site within 200 miles of High Point. Call (336) 886-3282.
What Are CVE-2026-48908 and CVE-2026-56290?
Two independent CVSS 10.0 vulnerabilities in the two most-installed Joomla page-builder extensions.
- CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type. Affects SP Page Builder up to and including 6.6.1. Unauthenticated remote attacker uploads a PHP file through the component's upload endpoint and executes it. Fixed in SP Page Builder 6.6.2.
- CVE-2026-56290 — Joomlack Page Builder Improper Access Control. CVSS 10.0. Unauthenticated remote access to privileged endpoints. Attacker payload observed by the Joomla security team plants a Super Administrator account with
@secure.localdomain plus a PHP file-manager backdoor in multiple filesystem locations. - KEV addition: July 7, 2026. CISA cited active exploitation.
- FCEB remediation deadline: July 10, 2026. Private-sector NC SMBs should treat this as the cyber-insurance defensibility floor.
Why Are So Many NC SMBs Still on Joomla?
Joomla peaked in market share in the early 2010s and has slowly ceded ground to WordPress and modern JAM-stack platforms — but "slowly" hides the reality that NC SMBs, nonprofits, and religious organizations still run tens of thousands of Joomla sites for one simple reason: they were built once and they still work.
- ~1.5-2% of the internet still runs Joomla (W3Techs, 2026). That is millions of live sites globally, with a disproportionate concentration in SMB, nonprofit, education, and religious sectors that had strong Joomla community support in the 2010s.
- NC-specific concentration includes small municipal governments, chambers of commerce, historical societies, churches and religious ministries, small colleges, and a long tail of manufacturer and service-business marketing sites built before 2018.
- SP Page Builder alone has 500,000+ installations according to JoomShaper. Joomlack Page Builder has a smaller but similarly SMB-heavy user base.
Key takeaway: The Joomla installed base is old, unpatched, and largely unmonitored. The July 7 KEV wave will drive weeks of secondary victim discovery. NC SMBs whose Joomla site has not been touched in 12+ months should not just patch — they should assume compromise, hunt for the
@secure.localaccount, and restore from a pre-June 2026 backup.
What Does the Compromise Actually Look Like?
The Joomla security team documented a five-step attacker chain that is now automated and running against every internet-facing Joomla instance.
- Scanner identifies Joomla site. Fingerprint via
/administrator/,/media/com_sppagebuilder/, or/index.php?option=com_sppagebuilder. - Scanner tests the vulnerable page-builder upload endpoint. For CVE-2026-48908, the
uploadCustomIconendpoint. For CVE-2026-56290, the analogous unauthenticated endpoint in Joomlack Page Builder. - Attacker uploads a PHP payload. Typically a small dropper that decodes a base64-encoded second-stage web shell into the Joomla filesystem.
- Attacker executes the payload. The dropper adds a Super Administrator account (typically with
@secure.local,@securemail.local, or similar unusual domain), plants a PHP file-manager backdoor in/administrator/,/media/, and/tmp/, and registers a scheduled cron job for persistence. - Attacker leaves the site alone for 30-90 days. Silent persistence lets the primary compromise blend into normal traffic while the backdoor is used to monetize later (SEO poisoning, phishing infrastructure, DDoS botnet, cryptocurrency mining, or ransomware pivot into the underlying host).
What Are the Business-Impact Scenarios NC SMBs Should Plan For?
The Joomla webshell delivers four distinct business risks, each of which has hit NC SMBs before.
| Scenario | Timeline | Business Cost |
|---|---|---|
| SEO poisoning (spam pages injected into the site) | 30-60 days after compromise | Google search de-indexing; 3-9 months of SEO recovery |
| Phishing page hosting (impersonating banks / M365 / vendors) | 15-45 days after compromise | Google Safe Browsing block, browser warnings, brand damage, potential lawsuit from impersonated party |
| Cryptocurrency mining | 7-14 days after compromise | Hosting bill spikes, site performance degradation, hosting provider suspension |
| Ransomware pivot into shared hosting environment | 30-180 days after compromise | Full site restoration required; potential impact on other tenants of shared hosting |
| Data exfiltration (customer forms, member directories) | 1-30 days after compromise | Regulatory notification (state breach laws, NC customer notification), reputation damage |
For NC nonprofits and religious organizations, the phishing-page hosting scenario has historically been the most damaging — congregations receiving phishing emails linking to the church's own compromised website causes durable trust damage even after cleanup.
What Are the Immediate Actions for NC Joomla Site Owners?
Emergency response runs in three parallel workstreams, executable inside 48 hours.
Workstream 1: Backdoor Discovery (Hours 0-6).
- Log into Joomla admin. Navigate to Users → Manage. Search for accounts with
@secure.local,@securemail.local,@mail.local, or any domain not owned by your organization. - Delete unknown Super Administrator accounts. Rotate the legitimate Super Administrator password immediately.
- Inspect
/administrator/index.phplogin logs for successful logins from unknown IPs. - Check
/tmp/,/media/,/administrator/, and/images/for.phpfiles that do not match the Joomla core file manifest.
Workstream 2: Patch and Harden (Hours 6-24).
- Update SP Page Builder to 6.6.2 or later; update Joomlack Page Builder to the vendor's patched release.
- Update Joomla core to the current stable release.
- Disable any page-builder or extension that is not actively needed.
- Enable Joomla's built-in Two Factor Authentication for all Super Administrator accounts.
Workstream 3: Post-Compromise Assurance (Hours 24-48).
- Restore from a backup taken before June 15, 2026 if available.
- If no clean backup exists, engage an incident-response firm to hunt for backdoors that survived the initial cleanup.
- File a Google Safe Browsing re-review if your site was flagged.
- Notify customers whose data was captured through website forms during the exposure window if any exfiltration is confirmed.
Explore Preferred Data's cybersecurity services
Should NC SMBs Migrate Off Joomla?
The Joomla platform is not the villain here — the villain is unpatched, unmonitored, and unfunded website operations. That said, the July 7 KEV wave is an inflection point for many NC SMBs.
| Path | Investment | Timeframe | Total Cost of Ownership (3yr) |
|---|---|---|---|
| Patch, harden, add monitoring | $3K-$8K initial, $150-$300/month monitoring | 2 weeks | $8K-$15K |
| Migrate to WordPress with managed hosting | $8K-$25K initial, $50-$200/month hosting | 6-10 weeks | $12K-$35K |
| Migrate to modern JAM-stack (Astro, Next.js, static SSG) | $15K-$40K initial, $20-$100/month hosting | 8-14 weeks | $18K-$45K |
| Migrate to Squarespace / Webflow / Wix | $5K-$15K initial, $30-$100/month hosting | 3-6 weeks | $7K-$22K |
| Migrate to SharePoint Online / Microsoft 365 | Included with M365 licensing + $5K-$20K setup | 4-8 weeks | Depends on M365 tier |
For most NC nonprofits, churches, chambers of commerce, and small-business marketing sites, the honest answer is migration to a managed-service platform (WordPress + managed host, Squarespace, Webflow, or SharePoint) — CMSs that receive continuous vendor security patches, without a local SMB IT team needing to keep track of ten extensions.
Explore Preferred Data's custom software services
How Does Preferred Data Support NC Joomla Site Owners?
Preferred Data Corporation provides emergency Joomla incident response, backdoor hunt, patch execution, and structured migration to modern platforms for NC manufacturers, healthcare providers, nonprofits, religious organizations, and professional services firms. With 37+ years of NC IT expertise and an average client retention of 20+ years, we can be on the ground this week.
- 48-hour Joomla incident response. Backdoor discovery,
@secure.localaccount cleanup, patch execution, and integrity restoration. - Structured CMS migration. Move off Joomla to WordPress-managed, JAM-stack, or Microsoft 365 with full SEO preservation, content parity, and executive-level program management.
- Managed website security. Continuous vulnerability scanning, WAF operations, uptime monitoring, and quarterly external-attack-surface review.
- Cyber-insurance renewal support. Documented compromise response, backdoor hunt evidence, and CISA-aligned remediation records.
Ready to close the Joomla backdoor and rebuild on a modern stack? Call (336) 886-3282 or contact our team.
Frequently Asked Questions
How do I know if my NC business, nonprofit, or church website is running Joomla?
Right-click the website in a browser and view page source. Look for <meta name="generator" content="Joomla in the HTML head. Or check the site's login URL — Joomla admin is typically /administrator/. If in doubt, ask your web host.
What if I use SP Page Builder but never installed it myself?
Many pre-built Joomla templates include SP Page Builder bundled. If you inherited the website from a previous developer or agency, assume every popular Joomla extension is installed until you verify the current extension inventory. Log into Joomla admin → Extensions → Manage → Manage.
Does the CVE affect Joomla itself or only the page builders?
Only SP Page Builder (up to 6.6.1) and Joomlack Page Builder (all versions prior to the vendor's fix) are directly affected by the July 7 KEV entries. Joomla core itself is not the vulnerable component. That said, an unpatched Joomla core with unpatched extensions compounds the risk.
What is the @secure.local account and why is it there?
@secure.local is the fingerprint of the July 2026 exploitation payload. The attacker's automated payload adds a Super Administrator account with that email domain to maintain persistent admin access to the site. Any account with that email or a similar .local domain that you did not create is the backdoor. Delete it and rotate credentials immediately.
Does patching alone resolve the incident?
Patching stops future exploitation but does not remove already-planted backdoors. A full response requires (a) patch, (b) backdoor account hunt, (c) filesystem integrity check, (d) log review, and (e) either restoration from a pre-compromise backup or a formal incident-response engagement to declare the site clean.
How fast can Preferred Data respond to a Joomla compromise?
Initial triage begins within four hours of engagement for NC SMBs inside our 200-mile service radius. Backdoor hunt and initial patch execution typically completes inside 24-48 hours depending on site complexity. Call (336) 886-3282.