WordPress.org

Forums

TinyMCE Advanced
[resolved] Remote File Upload Vulnerability (3 posts)

  1. henndi001
    Member
    Posted 1 year ago #

    Hello,

    I want to use your Plugin but it has a weak security. I found SQL Injections, XSS und RFU vulnerability.

    Can you fix this an make your plugin more secure?

    regards

    https://wordpress.org/plugins/tinymce-advanced/

  2. Andrew Ozz
    WordPress Dev
    Plugin Author

    Posted 1 year ago #

    This plugin doesn't do anything/doesn't load for non logged-in users. Additionally the settings page is only accessible for admins. In that terms SQL Injections, XSS, and/or remote file upload vulnerabilities are very unlikely.

    If you believe you found vulnerabilities, please contact me privately through http://www.laptoptips.ca/contact/.

  3. Andrew Ozz
    WordPress Dev
    Plugin Author

    Posted 1 year ago #

    @henndi001 thanks for forwarding more info. Both of these advisories are about old versions of the TinyMCE "imagemanager" and "filemanager" plugins. These are commercial plugins available from Moxiecode (the makers of TinyMCE) and are not included (obviously) in TinyMCE Advanced. As far as I can tell this type of exploits has been fixed in these plugin years ago.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • TinyMCE Advanced
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic