CVE-2026-48907, a CVSS 9.5 unauthenticated RCE in the Joomla Content Editor (JCE) plugin, is under active automated exploitation with CISA KEV listing and a June 19 federal agency remediation deadline confirmed. Attackers are deploying persistent web shells across vulnerable Joomla sites at scale. Concurrently, three WordPress supply chain campaigns (OptinMonster, TrustPulse, PushEngage plugins) are delivering database-resident payloads, compounding the CMS threat surface.