Out-of-date Version (TinyMCE)

  • Resolved prachi2patel

    (@prachi2patel)


    3 weeks, 4 days ago

    We use Acunetix scanner to scan for vulnerability and found out that this plugin has old version of Tinymce – “TinyMCE Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Vulnerability”

    Identified version is 4.9.11

    Can you please update to latest version 8.2.1 ?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter prachi2patel

    (@prachi2patel)

    5 days, 8 hours ago

    It’s 3 weeks and I have not got reply on this.

    This is medium vulnerability and it needs a update. Can someone say when is this going to update ?

    Plugin Author Andrew Ozz

    (@azaozz)

    4 days, 15 hours ago

    Hi @prachi2patel, thanks for reporting this. I wasn’t able to find any details about this vulnerability. Also note that most of the more recent TinyMCE vulnerabilities are only for recent versions. They typically don’t exist in older versions, and the older versions like the one in WordPress are not even tested for them.

    Couple of things:

    • TinyMCE is part of WordPress core, not of this plugin.
    • As far as I’m aware there are no plans to update it in core as that will most likely break most sites that use it (TinyMCE major versions are not backwards compatible).

    In these terms it would be great if you could send more information about this vulnerability to the WordPress security team.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.