Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #47218, comment 35


Ignore:
Timestamp:
03/29/2023 11:44:19 PM (18 months ago)
Author:
azaozz
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #47218, comment 35

    initial v1  
    77Not quite :)
    88
    9 WordPress is not affected by [https://nvd.nist.gov/vuln/detail/CVE-2020-12648 CVE-2020-12648] as the TinyMCE was updated to 4.9.11 two years ago. See [49557].
     9WordPress is not affected by [https://nvd.nist.gov/vuln/detail/CVE-2020-12648 CVE-2020-12648] as TinyMCE was updated to 4.9.11 (the fixed version) two years ago. See [49557].
    1010
    1111I'm not able to reproduce [https://nvd.nist.gov/vuln/detail/CVE-2022-23494 CVE-2022-23494]. Not even sure if it affects TinyMCE 4.x, the examples are only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems it requires a "rogue" TinyMCE plugin to be loaded which is not possible in normal operation. (If somebody has access to PHP or JS to load a TinyMCE plugin, they can completely take over "everything". No point to compromise just the editor.)