I second this – no updates for over a year!? This plugin with no support answers, a living corpse? Ready to be deinstalled?
Hi we want to know why WordPress has not removed this plugin from it’s core package. And if there is any work around provided by WordPress so that this vulnerability in WordPress gets fixed.
As already mentioned wordpress core package has a file in this directory with version 4.9 path wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110
Hi, the file mentioned is present also if you unistall the plugin.
Are you sure there is a real vulnerability and this one is from this plugin?
Also your vendor link in the first post is broken.
I created a report to the WordPress Core by HackerOne someone will look at this.
Thanks can I get HackerOne ticket URL to monitor
Hi @praveenelevon, @peopleinside were you able to reproduce this vulnerability?
the file mentioned is present also if you unistall the plugin
Right, TinyMCE is part of WordPress, not this plugin.
You may find interesting reading this topic
Yea, seems this has been reported and discussed on Trac.
Hi Andrew,
We have done vulnerability scanning of site and got that this file with older Tiny Mce version exists in WordPress core file I have mentioned the path of the file, So they suggest to update to latest version as old version have vulnerability issue, Is WordPress Team planning to update this file or remove it if not required that’s what we need to know:
As already mentioned wordpress core package has a file in this directory with version 4.9 path wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110
@praveenelevon I understand your concern. However it seems the vulnerabilities being reported may not affect old versions of TinyMCE like version 4.9.11 that is currently used in WordPress. Please see https://core.trac.wordpress.org/ticket/47218#comment:34.
Would it be possible to confirm the vulnerability scan result? For example a CVE number like in the above linked comment would be nice.
Hi @azaozz , we get CVE-2024-29881 , CVE-2024-29203. Scan result as follows:
Vulnerable javascript library: TinyMCE
version: 4.9.11
script uri: https://lmsuat.tradeday.com/wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110
Details:
TinyMCE 5.1.6 provides improvement in CDATA parsing and sanitization to address a cross-site scripting (XSS) vulnerability. Please refer to vendor documentation (https://www.tiny.cloud/docs/ release-notes/release-notes516/) for more information.
TinyMCE 5.2.2 provides fix for media embed content not processing safely in some cases. Please refer to vendor documentation (https://www.tiny.cloud/docs/release-notes/release-notes522/) for more information.
TinyMCE 5.4 Fixed content in an iframe element parsing as DOM elements instead of text content. Please refer to vendor documentation (https://www.tiny.cloud/docs/release-notes/release-notes54/) for more information.
CVE-2024-29203: A Cross-Site Scripting (XSS) Vulnerability exists in TinyMCE’s content insertion code. This allows ‘iframe’ elements containing malicious code to execute when inserted into the
editor. These ‘iframe’ elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Solution: Upgrade TinyMCE to version 7.0.0 or later. For more information pertaining to this vulnerability, please refer TinyMCE Security Advisory (https://github.com/tinymce/tinymce/security/ advisories/GHSA-438c-3975-5x3f).
CVE-2024-29881: A Cross-Site Scripting (XSS) Vulnerability exists in TinyMCE’s content loading and content insertion code. This vulnerability allows for the loading of an SVG image though an
‘object’ or ’embed’ element, which could potentially contain an XSS payload.
Solution: Upgrade TinyMCE to version 7.0.0 or later. For more information pertaining to this vulnerability, please refer TinyMCE Security Advisory (https://github.com/tinymce/tinymce/security/
advisories/GHSA-5359-pvf2-pw78).
Hi @azaozz ,
Any update on this? Is it secure?
