CVE-2022-23494: XSS vulnerability affects the TinyMCE rich text editor

A potentially cross-site scripting (XSS) vulnerability affecting the TinyMCE rich text editor can be exploited for privilege escalation, obtaining information, or account takeover.

TinyMCE is an online rich-text editor released as open-source software under the MIT License. It has the ability to convert HTML text area fields or other HTML elements to editor instances.  According to Tiny Technologies, the editor has been downloaded 350 million times per year and it’s included in more than 100 million websites. As a high-powered WYSIWYG editor, TinyMCE is built to scale, designed to innovate, and thrives on delivering results to difficult edge cases.


The flaw tracked as CVE-2022-23494, impacts version >=6.0.0 and prior version 6.3.1, and prior version 5.10.7, and it was patched this week with the release of versions 6.3.1 and 5.10.7. Researcher P4rkJW has been credited for discovering this vulnerability.

The security vulnerability was caused by improper validation of user-supplied input when HTML is inserted into the DOM for presentation in TinyMCE alert and confirm dialogs. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current userread the company’s own advisory.

CVE-2022-23494 has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1.  To reduce the impact of this vulnerability, users may ensure that the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.