CVE-2023-24251
Description
WangEditor v5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /dist/index.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting vulnerability in WangEditor v5 allows attackers to inject arbitrary JavaScript via a crafted iframe srcdoc attribute.
Vulnerability
WangEditor v5 (versions <=5) contains a stored cross-site scripting (XSS) vulnerability in the /dist/index.js component. The editor fails to properly sanitize user input for video links, specifically the iframe srcdoc attribute, allowing attackers to inject arbitrary HTML and JavaScript. [1]
Exploitation
An attacker can exploit this vulnerability by inserting a malicious ` element with a srcdoc` attribute containing arbitrary JavaScript. This can be done through the rich text editor's interface when creating or editing content. No authentication or special privileges are required beyond the ability to use the editor. [1]
Impact
Successful exploitation leads to stored XSS, meaning the injected script is permanently stored and executed whenever the compromised page is viewed. This can result in data theft, session hijacking, defacement, or other malicious activities within the context of the victim's browser. [1]
Mitigation
As of the publication date, no patch or fixed version has been released. The vendor has not publicly addressed the vulnerability. Users should monitor for updates and consider using content security policies (CSP) or input sanitization as workarounds. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WangEditor/WangEditordescription
- Range: v5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.