Project: WordPress maintenance support plans coreDate: 2020-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription:
CKEditor, a third-party JavaScript library included in WordPress maintenance support plans core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which WordPress maintenance support plans 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the WordPress maintenance support plans core security window.
Solution: If you are using WordPress maintenance support plans 8, update to WordPress maintenance support plans 8.5.2 or WordPress maintenance support plans 8.4.7.
The WordPress maintenance support plans 7.x CKEditor contributed plugin is not affected if you are running CKEditor plugin 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
If you installed CKEditor in WordPress maintenance support plans 7 using another method (for example with the WYSIWYG plugin or the CKEditor plugin with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor’s site.
Reported By: Kyaw Min Thein
Fixed By: Marek Lewandowski of the CKEditor team
Wiktor Walc of the CKEditor team
Wim Leers
xjm Of the WordPress maintenance support plans Security Team
Lee Rowlands of the WordPress maintenance support plans Security Team
Daniel Wehner
Hai-Nam Nguyen
Matthew Grill
Source: New feed