# Exploit Title: iframe Injection\Html Injection TinyMCE 5 HTML WYSIWYG # Date:18.10.2020 # Author: Vincent666 ibn Winnie # Software Link: https://www.tiny.cloud/features/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Blog : https://pentest-vincent.blogspot.com/ # PoC: https://pentest-vincent.blogspot.com/2020/10/iframehtml-injection-tinymce-5-html.html PoC: We have iframe and html injection in TinyMCE 5. Iframe allow in the TinyMCE: https://www.tiny.cloud/docs/advanced/security/ I wrote to support TinyMCE with this question and got a helpful answer: If you wish to disallow this, you can set invalid_elements: 'iframe' in the parameters object passed to the tinymce.init function. (c) I use for example demo TinyMCE and Plone Cms with TinyMCE. Our iframe and html injection on the demo: Insert - Media - Embed - our iframe code or html. In the demo Plone Cms: Insert - Image - Caption - our iframe code or html. We can also inject code into the Table. If a simple user can inject his code into these fields, then he can use it for phishing,deface and other things. Picture: https://imgur.com/a/IM6PBQh Iframe injection video: https://www.youtube.com/watch?v=KHbhD_zmWcI&feature=youtu.be Html injection video : https://www.youtube.com/watch?v=IoR89uQcbGc&feature=youtu.be I did another interesting test. I used for test www.project.co in "Discussion", because they use TinyMCE. On the demo panel we have simple editor without media,pictures and table. You have limited options. Picture: https://imgur.com/a/SGdLhbJ But we can try use method POST. This works in the 70%. In the example we will use the div tag and attributes for tag. Video: https://www.youtube.com/watch?v=wswNNxdorlY