Share
## https://sploitus.com/exploit?id=PACKETSTORM:159594
# Exploit Title: iframe Injection\Html Injection TinyMCE 5 HTML WYSIWYG  
# Date:18.10.2020  
# Author: Vincent666 ibn Winnie  
# Software Link: https://www.tiny.cloud/features/  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox  
# Blog : https://pentest-vincent.blogspot.com/  
# PoC: https://pentest-vincent.blogspot.com/2020/10/iframehtml-injection-tinymce-5-html.html  
  
PoC:  
  
The editor has the function of inserting an iframe, but we did not use  
this option and tested other fields.  
  
We have iframe injection in TinyMCE 5.  
  
I use for example demo TinyMCE and Plone Cms with TinyMCE.  
  
Our iframe injection on the demo:  
  
Insert - Media - Embed - our iframe code.  
  
In the demo Plone Cms:  
  
Insert - Image - Caption - our iframe code.  
  
If a simple user can inject his code into these fields, then he can  
use it for phishing and other things.  
  
Picture:  
  
https://imgur.com/a/IM6PBQh  
  
Iframe injection video:  
  
https://www.youtube.com/watch?v=KHbhD_zmWcI&feature=youtu.be  
  
Html injection video :  
  
https://www.youtube.com/watch?v=IoR89uQcbGc&feature=youtu.be