Urgent Wordfence High Alert for TinyMCE

I’m afraid the alerts seem legitimate and you should clean your site.

Don’t think it has anything to do with the Classic Editor plugin or with the Advanced Editor Tools plugin (where you also posted this). The unknown/likely infected files were inserted in WordPress itself not in a plugin. As the alert text indicates the path wp-includes/js/tinymce/ is part of WordPress core.

• This reply was modified 4 years ago by Andrew Ozz.

Andrew, many thanks for your quick response, it is much appreciated.

The PDFs in the cPanel File Manager were all dated 2014, and have now been deleted.

Just doing another WF Scan – I’m thinking it’s probably best to delete the TINYMCE Plugin and reinstall a fresh one.

Teena

Just doing another WF Scan – I’m thinking it’s probably best to delete the TINYMCE Plugin and reinstall a fresh one.

If you suspect you site may have been compromised (seems that way from your earlier post), best is to follow the steps to clean it. Deleting and reinstalling core and plugins is just one of them.

As you’re using Wordfence, perhaps start with https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/, then have a look at the (more general) https://www.ads-software.com/support/article/faq-my-site-was-hacked/.

Hi Andrew, TINYMCE doesn’t appear as a Plugin in the Plugins list, so I was deleting from the cPanel.

My site hadn’t been showing any signs of being hacked. Thanks for the links – I’ll check them both out.

Hi. I’m getting this problem too with Wordfence highlighting high risk files in the wp-includes/js/tinymce/ folder.

I’ve removed this folder from my C Panel and run another Wordfence scan that shows my WP install as being clean. Go back a hour later and that folder is back again and Wordfence again shows the high risk files.

How is this folder being continually re-created? Would this be the source of the porn re-directs that I’m being plagued with?