Use of JavaScript Library with Known Vulnerability in core tinyMCE

  • In our recent security scan, we found a known js vulnerability in WP core, it is on the tinyMCE module of the core WP.

    Here is the message: 

    tinyMCE	4.9.11	Found in https://www.tfc-usa.com/barangaybillboard/wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110 - Vulnerability info:
medium	CDATA parsing and sanitization has been improved to address a cross-site scripting (XSS) vulnerability....

    We are using the latest WP version (6.1.1).
    The file is located here wp-includes/js/tinymce/tinymce.min.js

    Could anyone please advice is it still safe?

    Thanks!

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Use of JavaScript Library with Known Vulnerability in core tinyMCE

    Where are you getting this alert from? What tool is tell you this? Is there any public resource that says anything about this TinyMCE 4.9.11 vulnerability?

    I’m asking because the “message” you quoted seems to be a changelog listing something that was fixed in 4.9.11 (or earlier), and not a new vulnerability.

    What’s more, I searched and didn’t find anything about known vulnerabilities in 4.9.11. Instead, this v4xx changelog pags list a handful of vulnerabilities that were fixed in earlier versions, with 4.9.11 being the latest release of the 4.x branch.

    Thread Starter mahmudsg

    (@mahmudsg)

    Hi @gappiah ,
    Thanks for the quick reply!

    It is Retire.js, a browser add-on.

    We are getting this security flag on any page/post edit screen, also on any page/plugin used TinyMCE editor.

    Please take a look here https://prnt.sc/I9GwG7p5FERa

    Here is a front-end form also trigering the same security flag https://www.tfc-usa.com/barangaybillboard/submit-an-event/

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Use of JavaScript Library with Known Vulnerability in core tinyMCE’ is closed to new replies.

Tags