Make WordPress Core

Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#56471 closed defect (bug) (duplicate)

TinyMCE version 4.9.11 is full of known XSS vulnerabilities

Reported by: jkfoiztmcjeikfp's profile jkfoiztmcjeikfp Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: TinyMCE Keywords:
Focuses: javascript Cc:

Description

A Whitesource Scan of the WordPress Core files results in several findings:

  • A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.
  • A cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the image and link plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. The issue only impacted users while editing and the dangerous URL were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.
  • A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser of TinyMCE. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.
  • Cross-site scripting vulnerability was found in TinyMCE before 5.7.1. A cross-site scripting vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside the editor.

While these issues might not (all) seem severe, they are making it hard to use WordPress in an enterprise-context where there are Whitesource Scans and teams in place to hold you accountable for security findings. If only that, they are very bad publicity.

I realize a TinyMCE upgrade has its challenges, but as shown above, also has great rewards.

I did not use the HackerOne program, because these are known (and fixed) vulnerabilities.

Change History (2)

#1 @Presskopp
23 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #54348.

let's go on here: #47218

#2 @SergeyBiryukov
23 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.