[wp-trac] [WordPress Trac] #47218: Update TinyMCE to 5.X.X or 6.X.X
WordPress Trac
noreply at wordpress.org
Wed Mar 29 23:43:23 UTC 2023
#47218: Update TinyMCE to 5.X.X or 6.X.X
-------------------------+------------------------------
Reporter: Presskopp | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: TinyMCE | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
-------------------------+------------------------------
Comment (by azaozz):
Replying to [comment:34 wpsalvio]:
> The TinyMCE version embedded in WordPress is affected by these two CVEs.
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-12648
> https://nvd.nist.gov/vuln/detail/CVE-2022-23494
Not quite :)
WordPress is not affected by
[https://nvd.nist.gov/vuln/detail/CVE-2020-12648 CVE-2020-12648] as the
TinyMCE was updated to 4.9.11 two years ago. See [49557].
I'm not able to reproduce [https://nvd.nist.gov/vuln/detail/CVE-2022-23494
CVE-2022-23494]. Not even sure if it affects TinyMCE 4.x, the examples are
only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems
it requires a "rogue" TinyMCE plugin to be loaded which is not possible in
normal operation. (If somebody has access to PHP or JS to load a TinyMCE
plugin, they can completely take over "everything". No point to compromise
just the editor.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47218#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list