Bishop Fox Specialists discovered a dangerous vulnerability in one of the most popular WYSIWYG editors, TinyMCE, created by Tiny Technologies. According to the developers, the editor is downloaded approximately 350 million times annually, and he works on more than 100 million sites. TinyMCE is available for free as an open source solution, but the developers also offer paid services to users, including premium plugins, support, and deployment services.
Researchers from Bishop Fox write that TinyMCE is susceptible to an XSS vulnerability, the consequences of which depend on the specific application using the editor: privilege escalation, information theft or account hijacking is possible. Depending on the site that uses TinyMCE, an attacker could exploit the vulnerability as stored or reflected XSS, the researchers explain. Most often this leads to escalation of privileges, but it can also be used to perform actions on behalf of the user (without the latter's knowledge).
The issue was assigned CVE-2020-12648 and affected version 5.2.1 and earlier, and is currently being fixed with the release of TinyMCE versions 4.9.11 and 5.4.1. Also developers published recommendations on a possible bypass of the vulnerability without installing patches, but still strongly recommended that users upgrade to updated versions, and best of all, to the latest TinyMCE fifth version.