Title: TinyMCE Exploit Last modified: August 19, 2016 --- # TinyMCE Exploit * [supert3d](https://wordpress.org/support/users/supert3d/) * (@supert3d) * [17 years, 8 months ago](https://wordpress.org/support/topic/tinymce-exploit/) * Tonight I came across a bizarre problem. What started out as a puzzle as to why all my sisters images in ZenPhoto were no longer showing led me on a path that ultimately exposed a pretty nasty exploit in an older version of WordPress, more specifically it’s WYSIWYG editor. TinyMCE. * It turned out that every single PHP page on my sisters domain had been injected with base64 encoded code. [After decoding](http://www.rozphillips.com/test.php) it became quite apparent the eval(base64_encode()) included on every PHP page exploited this file : /blog/wp-includes/js/tinymce/themes/advanced/images/xp/ js.php * I then proceeded to open this file and noted, to my surprise, 1kLOC or more of base64 encoded code. I had to parse it twice to [un-encode](http://www.rozphillips.com/test2.php) it and it suddenly became as clear as day that this modified script was responsible for injecting all my PHP files. * I have since removed WordPress from my sisters domain as she no longer uses it, but let this be a cautionery tale for anyone using an older version of TinyMCE as a WYSIWYG editor. This has nothing to do with the code core of WordPress, as far as I can tell this only affects TinyMCE which WordPress uses. * I originally [posted to this forum](http://www.tinyportal.net/index.php/topic,26106.20.html) which led me to this exploit. The thread may contain additional information in the future, so I’m included a bookmark for reference. Viewing 2 replies - 1 through 2 (of 2 total) * [NC@WP](https://wordpress.org/support/users/ncwp/) * (@ncwp) * [17 years, 8 months ago](https://wordpress.org/support/topic/tinymce-exploit/#post-866469) * Can you identify the version of tinyMCE that was affected? Failing that, which version of WordPress were you running? * Thread Starter [supert3d](https://wordpress.org/support/users/supert3d/) * (@supert3d) * [17 years, 8 months ago](https://wordpress.org/support/topic/tinymce-exploit/#post-866618) * Versioning Info : * WordPress : Version 2.0 TinyMCE : Version 2.0 (Extracted from Code) * ` function TinyMCE() { this.majorVersion = "2"; this.minorVersion = "0"; this. releaseDate = "2005-12-01"; ... } * Interesting comment I found whilst trawling through core code… made me chuckle… * > ` // "When trying to design a foolproof system, > // never underestimate the > ingenuity of the fools :)" -- Dougal * source : wp-includes/functions.php Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘TinyMCE Exploit’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * [tinymce](https://wordpress.org/support/topic-tag/tinymce/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 2 replies * 2 participants * Last reply from: [supert3d](https://wordpress.org/support/users/supert3d/) * Last activity: [17 years, 8 months ago](https://wordpress.org/support/topic/tinymce-exploit/#post-866618) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics