Changes between Initial Version and Version 1 of Ticket #47218, comment 35
- Timestamp:
- 03/29/2023 11:44:19 PM (18 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #47218, comment 35
initial v1 7 7 Not quite :) 8 8 9 WordPress is not affected by [https://nvd.nist.gov/vuln/detail/CVE-2020-12648 CVE-2020-12648] as the TinyMCE was updated to 4.9.11two years ago. See [49557].9 WordPress is not affected by [https://nvd.nist.gov/vuln/detail/CVE-2020-12648 CVE-2020-12648] as TinyMCE was updated to 4.9.11 (the fixed version) two years ago. See [49557]. 10 10 11 11 I'm not able to reproduce [https://nvd.nist.gov/vuln/detail/CVE-2022-23494 CVE-2022-23494]. Not even sure if it affects TinyMCE 4.x, the examples are only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems it requires a "rogue" TinyMCE plugin to be loaded which is not possible in normal operation. (If somebody has access to PHP or JS to load a TinyMCE plugin, they can completely take over "everything". No point to compromise just the editor.)