HIGH 8.7

CVE-2026-47762: TinyMCE Stored XSS via Protected Comments – CVSS 8.7 HIGH

TinyMCE, a widely-used open-source rich text editor, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into protected content. The flaw exists in how the editor processes specially crafted comments marked with the mce:protected tag, bypassing built-in sanitization controls. When a user later restores or views the protected content, the injected script executes in their browser. This affects users who have enabled TinyMCE's protect option, a feature designed to mark content as requiring special handling. The vulnerability has been patched in versions 5.11.1, 7.9.3, and 8.5.1.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a stored XSS flaw (CWE-79) in TinyMCE's content protection mechanism. Attackers with authenticated access can craft malicious mce:protected comments that evade the editor's content sanitization filters. Because the malicious payload is stored server-side as part of the protected content metadata, it persists across sessions. When the editor restores or renders protected content, the script executes with the privileges of the viewing user, potentially in a cross-site context depending on deployment. The root cause appears to be insufficient validation or encoding of data within the mce:protected comment wrapper, allowing comment syntax to contain unfiltered script payloads that are later unwrapped and executed.

Business impact

Organizations using TinyMCE-based document editors, content management systems, or form builders face session hijacking, credential theft, and data exfiltration risks if attackers gain authenticated access. Because the payload is stored and triggered on view, the attack surface extends to all users who subsequently access the compromised content—not just the initial editor. In multi-tenant environments or shared document platforms, a single compromised record can affect many downstream users. Remediation requires patching and potentially invalidating or re-validating existing protected content that may have been maliciously modified.

Affected systems

All deployments of TinyMCE versions prior to 5.11.1 (legacy branch), 7.9.3 (mid-term), and 8.5.1 (current) are affected. The vulnerability only manifests when the protect option is enabled in the editor configuration. Organizations should identify which applications and instances embed TinyMCE and whether they use content protection features. Third-party integrations—including WordPress plugins, CMS platforms, and custom web applications—that bundle TinyMCE are potentially affected and require verification of their upstream dependency versions.

Exploitability

Exploitation requires authenticated access to the TinyMCE editor interface (PR:L per CVSS vector), meaning an attacker must already have user privileges or a compromised account. However, the user interaction requirement (UI:R) is limited to the attacker triggering content restoration, which is a low bar in many workflows. The attack vector is network-based (AV:N) with no complex prerequisites (AC:L), making it relatively straightforward to execute once inside. The stored nature of the payload means the attacker does not need to be present when the script executes—any user viewing the affected content becomes a victim. CVSS 8.7 (HIGH) reflects the combination of moderate access requirements, high confidentiality and integrity impact, and cross-site scope.

Remediation

Upgrade to TinyMCE 5.11.1, 7.9.3, or 8.5.1 depending on your current version branch. Administrators should assess which protected content may have been modified by unauthorized parties and consider re-validating or clearing such content if compromise is suspected. If immediate patching is not feasible, disable the protect option in TinyMCE configuration to prevent new payloads from being stored, though this may impact content workflow. Implement strong access controls and session management to reduce the likelihood of authenticated compromise. Monitor for unusual editor activity or content modifications.

Patch guidance

Apply the vendor patches as soon as feasible: upgrade to 5.11.1 for the 5.x branch, 7.9.3 for the 7.x branch, or 8.5.1 for the 8.x branch. Verify the patch version in your installed instance and in any bundled or third-party integrations. If TinyMCE is embedded in a plugin or framework, check the upstream maintainer's advisory for compatible versions and upgrade guidance. After patching, clear browser caches and invalidate user sessions to prevent stale JavaScript from executing. Test content restoration workflows in a staging environment to confirm the patch does not affect legitimate protected content handling.

Detection guidance

Search logs and audit trails for authenticated users accessing the editor to create or modify protected content, particularly outside normal business hours or from unusual locations. Look for mce:protected comment patterns containing suspicious JavaScript keywords (script, eval, fetch, XMLHttpRequest) in stored content or revision history. Monitor for stored procedures or database queries that insert or update protected content metadata. Implement content security policy (CSP) headers to limit the blast radius if injected scripts do execute. Use Web Application Firewalls (WAF) to flag requests containing mce:protected payloads with inline JavaScript, though this should complement, not replace, patching.

Why prioritize this

Despite the HIGH CVSS score, this vulnerability's practical impact depends on whether the protect feature is active and whether the attacker has authenticated access. However, stored XSS in a rich text editor affects entire document audiences, multiplying the impact per compromise. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited in-the-wild exploitation at this time, but this should not lower priority for organizations heavily dependent on TinyMCE-based collaboration or content platforms. Prioritize patching if your users edit shared or sensitive content; deprioritize slightly if the protect feature is unused, but still patch to close a future attack vector.

Risk score, explained

The CVSS 8.7 (HIGH) score reflects: (1) network-based, unauthenticated-seeming attack (AV:N, AC:L), (2) moderate authentication barrier (PR:L) that is realistic in many organizations, (3) user interaction requirement (UI:R) that is low friction, (4) high impact to confidentiality and integrity (C:H, I:H) via script injection, and (5) cross-site scope (S:C) implying potential to affect other users or systems. Availability is not impacted (A:N). The score is justified for environments where TinyMCE is deployed in collaborative or customer-facing contexts; organizations with highly restricted editor access may perceive lower practical risk.

Frequently asked questions

If we don't use the protect option in TinyMCE, are we affected?

No, this specific vulnerability requires the protect option to be enabled. If your TinyMCE instances do not have protected content features configured, you are not exposed to this stored XSS flaw. However, you should still patch to prevent the feature from becoming a vector in the future if configuration changes occur.

Do we need to wipe existing protected content after patching?

Not necessarily. The patch prevents new malicious payloads from being injected and executed. Existing content that was created before compromise detection is unlikely to be malicious unless you have evidence of unauthorized modification. As a precaution, review audit logs and access controls for any suspicious editor activity in the weeks before patching.

Will this vulnerability affect TinyMCE used in an offline or air-gapped environment?

Exploitation still requires authenticated access to the editor, so even in air-gapped settings, an attacker must have legitimate or compromised credentials. However, the stored XSS payload, once injected, will persist and execute whenever content is restored, even on isolated systems. Patch regardless of network isolation.

Are older versions like 4.x affected?

The vendor advisory specifies fixes in 5.11.1, 7.9.3, and 8.5.1. Versions prior to 5.x are not explicitly mentioned in the patch guidance. If you are running 4.x, contact the vendor or check their security advisory for guidance on end-of-life support and mitigations.

This analysis is provided for informational purposes based on publicly available CVE data. CVSS scores are vendor-assigned and represent a general severity estimate; actual risk depends on your deployment, configuration, and threat model. Always verify patch compatibility and test in a non-production environment before deploying to production systems. SEC.co does not warrant the completeness or accuracy of this analysis and recommends consulting the official TinyMCE security advisory and your organization's vulnerability management process for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).