Title: Tiny MCE Vulnerablity Last modified: April 9, 2025 --- # Tiny MCE Vulnerablity * [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/) * Hi Guys, WordPress latest version 6.7.2 comes with TinyMCE 4.9.11 version which show vulnerability issues. How to get the vulnerability issue fixed? Why WordPress is not coming with latest version of TinyMce? Can anyone help. * Vulnerable javascript library: TinyMCE version: 4.9.11script uri: [wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110](https://lmsuat.tradeday.com/wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110) Details:TinyMCE 5.1.6 provides improvement in CDATA parsing and sanitization to address a cross-site scripting (XSS) vulnerability. Please refer to vendor documentation ([https://www.tiny.cloud/docs/release-notes/release-notes516/)](https://www.tiny.cloud/docs/release-notes/release-notes516/)) for more information. Viewing 12 replies - 1 through 12 (of 12 total) * [wpprup](https://wordpress.org/support/users/wppraesenz/) * (@wppraesenz) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18416572) * I second this – no updates for over a year!? This plugin with no support answers, a living corpse? Ready to be deinstalled? * Thread Starter [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18416656) * Hi we want to know why WordPress has not removed this plugin from it’s core package. And if there is any work around provided by WordPress so that this vulnerability in WordPress gets fixed. * As already mentioned wordpress core package has a file in this directory with version 4.9 path  wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110 * [peopleinside](https://wordpress.org/support/users/peopleinside/) * (@peopleinside) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18420530) * Hi, the file mentioned is present also if you unistall the plugin. Are you sure there is a real vulnerability and this one is from this plugin? * Also your vendor link in the first post is broken. * [peopleinside](https://wordpress.org/support/users/peopleinside/) * (@peopleinside) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18420649) * I created a report to the WordPress Core by HackerOne someone will look at this. * Thread Starter [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18421217) * Thanks can I get HackerOne  ticket URL to monitor * [peopleinside](https://wordpress.org/support/users/peopleinside/) * (@peopleinside) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18421308) * [3097785](https://hackerone.com/reports/3097785) * [peopleinside](https://wordpress.org/support/users/peopleinside/) * (@peopleinside) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18421875) * [@praveenelevon](https://wordpress.org/support/users/praveenelevon/) * You may find interesting reading this topic: [https://core.trac.wordpress.org/ticket/47218](https://core.trac.wordpress.org/ticket/47218) * Plugin Author [Andrew Ozz](https://wordpress.org/support/users/azaozz/) * (@azaozz) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18423146) * Hi [@praveenelevon](https://wordpress.org/support/users/praveenelevon/), [@peopleinside](https://wordpress.org/support/users/peopleinside/) were you able to reproduce this vulnerability? * > the file mentioned is present also if you unistall the plugin * Right, TinyMCE is part of WordPress, not this plugin. * > You may find interesting reading this topic * Yea, seems this has been reported and discussed on Trac. * Thread Starter [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18423698) * Hi Andrew, * We have done vulnerability scanning of site and got that this file with older Tiny Mce version exists in WordPress core file I have mentioned the path of the file, So they suggest to update to latest version as old version have vulnerability issue, Is WordPress Team planning to update this file or remove it if not required that’s what we need to know: * As already mentioned wordpress core package has a file in this directory with version 4.9 path  wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110 * Plugin Author [Andrew Ozz](https://wordpress.org/support/users/azaozz/) * (@azaozz) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/#post-18434504) * [@praveenelevon](https://wordpress.org/support/users/praveenelevon/) I understand your concern. However it seems the vulnerabilities being reported may not affect old versions of TinyMCE like [version 4.9.11](https://github.com/WordPress/wordpress-develop/blob/trunk/src/js/_enqueues/vendor/tinymce/tinymce.js) that is currently used in WordPress. Please see [https://core.trac.wordpress.org/ticket/47218#comment:34](https://core.trac.wordpress.org/ticket/47218#comment:34). * Would it be possible to confirm the vulnerability scan result? For example a CVE number like in the above linked comment would be nice. * Thread Starter [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year, 1 month ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/page/2/#post-18446153) * Hi [@azaozz](https://wordpress.org/support/users/azaozz/) , we get CVE-2024-29881, CVE-2024-29203. Scan result as follows: * Vulnerable javascript library: TinyMCE version: 4.9.11script uri: [https://lmsuat.tradeday.com/wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110](https://lmsuat.tradeday.com/wp-includes/js/tinymce/tinymce.min.js?ver=49110-20201110) Details:TinyMCE 5.1.6 provides improvement in CDATA parsing and sanitization to address a cross-site scripting (XSS) vulnerability. Please refer to vendor documentation ([https://www.tiny.cloud/docs/](https://www.tiny.cloud/docs/) release- notes/release-notes516/) for more information. * TinyMCE 5.2.2 provides fix for media embed content not processing safely in some cases. Please refer to vendor documentation ([https://www.tiny.cloud/docs/release-notes/release-notes522/](https://www.tiny.cloud/docs/release-notes/release-notes522/)) for more information. * TinyMCE 5.4 Fixed content in an iframe element parsing as DOM elements instead of text content. Please refer to vendor documentation ([https://www.tiny.cloud/docs/release-notes/release-notes54/](https://www.tiny.cloud/docs/release-notes/release-notes54/)) for more information. * CVE-2024-29203: A Cross-Site Scripting (XSS) Vulnerability exists in TinyMCE’s content insertion code. This allows ‘iframe’ elements containing malicious code to execute when inserted into the editor. These ‘iframe’ elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.Solution: Upgrade TinyMCE to version 7.0.0 or later. For more information pertaining to this vulnerability, please refer TinyMCE Security Advisory ([https://github.com/tinymce/tinymce/security/](https://github.com/tinymce/tinymce/security/) advisories/GHSA-438c-3975-5x3f). * CVE-2024-29881: A Cross-Site Scripting (XSS) Vulnerability exists in TinyMCE’s content loading and content insertion code. This vulnerability allows for the loading of an SVG image though an ‘object’ or ’embed’ element, which could potentially contain an XSS payload.Solution: Upgrade TinyMCE to version 7.0.0 or later. For more information pertaining to this vulnerability, please refer TinyMCE Security Advisory ([https://github.com/tinymce/tinymce/security/](https://github.com/tinymce/tinymce/security/) advisories/GHSA-5359-pvf2-pw78). * Thread Starter [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * (@praveenelevon) * [1 year ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/page/2/#post-18468548) * Hi [@azaozz](https://wordpress.org/support/users/azaozz/) , * Any update on this? Is it secure? Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Tiny MCE Vulnerablity’ is closed to new replies. * ![](https://ps.w.org/tinymce-advanced/assets/icon-256x256.png?rev=971511) * [Advanced Editor Tools](https://wordpress.org/plugins/tinymce-advanced/) * [Frequently Asked Questions](https://wordpress.org/plugins/tinymce-advanced/#faq) * [Support Threads](https://wordpress.org/support/plugin/tinymce-advanced/) * [Active Topics](https://wordpress.org/support/plugin/tinymce-advanced/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/tinymce-advanced/unresolved/) * [Reviews](https://wordpress.org/support/plugin/tinymce-advanced/reviews/) * 18 replies * 4 participants * Last reply from: [praveenelevon](https://wordpress.org/support/users/praveenelevon/) * Last activity: [1 year ago](https://wordpress.org/support/topic/tiny-mce-vulnerablity/page/2/#post-18468548) * Status: not resolved