Andrew Ozz

Hi @prachi2patel, thanks for reporting this. I wasn’t able to find any details about this vulnerability. Also note that most of the more recent TinyMCE vulnerabilities are only for recent versions. They typically don’t exist in older versions, and the older versions like the one in WordPress are not even tested for them.

Couple of things:

• TinyMCE is part of WordPress core, not of this plugin.
• As far as I’m aware there are no plans to update it in core as that will most likely break most sites that use it (TinyMCE major versions are not backwards compatible).

In these terms it would be great if you could send more information about this vulnerability to the WordPress security team.

The compatibility message appears because this information has not been updated for 11 months.

Right. Sorry about that, was away for quite some time. Just updated the “Tested up to” setting for WordPress 6.9 so the message will disappear.

Hi @praveenelevon, @peopleinside were you able to reproduce this vulnerability?

the file mentioned is present also if you unistall the plugin

Right, TinyMCE is part of WordPress, not this plugin.

You may find interesting reading this topic

Yea, seems this has been reported and discussed on Trac.

@ganzmavag Right, thanks for posting the link.

This should be fixed now in the latest version of Classic Editor, 1.6.6. It contains the same hotfix.

But when trying to edit with the block editor using the switch to while in the Classic editor, or edit with from the Pages entry, There was an attempt but only the link displayed and the page was blank.

Unfortunately there is always some risk of “breaking” the content when a post was started in the block editor and later edited with the classic editor. That is generally rare and doesn’t happen for “simple” content, or for very light editing.

This may get worse when a plugin is involved. Was thinking it may be good to add a (permanent) warning when a post containing blocks is edited with the classic editor/TinyMCE.

• This reply was modified 1 year ago by Andrew Ozz.

Yea, unfortunately the fix was buggy, fixed one thing broke another 🙁

There is a Trac ticket for this, and a hotfix plugin: https://core.trac.wordpress.org/attachment/ticket/62504/wp-fix-62504.zip. Please test if it fixes it and doesn’t cause other issues. If it works well the code will be added to the official WP hotfix plugin, and the fix will be in WP 6.7.2.

@bouk Thanks for confirming!

This bug is fixed in WP 6.7.1 scheduled for release tomorrow, November 21, 2024.

• This reply was modified 1 year ago by Andrew Ozz.

Thanks for the reports. This seems to be related to a core bug described in https://core.trac.wordpress.org/ticket/62440. This is most likely going to be fixed in WordPress 6.7.1.

@bouk If I’m not mistaken your fix is to revert the changes to the outputted HTML from Walker_Category_Checklist: https://core.trac.wordpress.org/changeset/58894/trunk/src/wp-admin/includes/class-walker-category-checklist.php. That would work for now but will probably stop working in WP 6.7.1 as it seems this regression may be fixed in the JS, not by reverting these changes.

In any case please keep an eye on the above Trac ticket if you use the suggested fix.

• This reply was modified 1 year ago by Andrew Ozz.