Cross-site scripting vulnerability in TinyMCE

TinyMCE versions prior to 5.6.0 contain a stored cross-site scripting (XSS) vulnerability in the core parser's URL sanitization logic. The flaw occurs when the editor processes specially crafted content inserted via the clipboard or APIs, failing to properly sanitize URLs in iframe, object, and embed elements [2]. This allows an attacker to inject arbitrary HTML and JavaScript that executes in the context of another user's browser session when they view or edit the affected content [1].

An unauthenticated remote attacker can exploit this by crafting malicious HTML content and inserting it into the editor's storage (e.g., through a comment field, blog post, or page). No authentication is required beyond the ability to submit content to the editor. The attack triggers when a victim—such as another editor or site visitor—loads the stored content, resulting in XSS payload execution [2].

Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or other client-side attacks. The impact is heightened in multi-tenant environments where editors share a common TinyMCE instance [1][2].

The vulnerability was patched in TinyMCE 5.6.0, released on December 8, 2020, by improving URL sanitization [1][2]. Users unable to upgrade can work around the issue by manually sanitizing iframe, object, and embed URL attributes using a node filter, or by disabling those elements with the invalid_elements setting [2].