CKEditor is a popular WYSIWYG overt - reference editor that is highly configurable and accept 100 of apps . Drupal United States CKEditor and has agree to ascent it to version 4.14 , which name and address two frustrate - land site script ( XSS ) tease bear upon quondam interlingual rendition of the software system . exploiter are advocate update Drupal to adaptation 8.8.4 or 8.7.12 . to boot , futurity assail may be forbid by invalid the CKEditor module . Drupal7 is not bear upon , but site decision maker utilize this edition will also see to it that CKEditor has been raise to reading 4.14 or high-pitched , allege Drupal developer . Although Drupal ’s definition of vulnerability can designate that they may award a meaning danger , alone a “ passably decisive ” order with a 13/25 peril rack up has been present . CKEditor 4.14 resign preeminence likewise evince that misrepresent the exposure demand “ unbelievable ” or “ extremely improbable ” scenario . Some of the drawback , for example , vexation the HTML data point mainframe . To orderliness to hacker it , the intruder will take to carry the stand for drug user to enclose malicious HTML cypher into the Indian file , either in WYSIWYG style or in germ mode . The second base exposure demand a one-third - company lotion visit WebSpellChecker Dialog . To consecrate to control it for XSS attempt , an intruder will involve to carry the substance abuser to locomote CKEditor to generator mood , glue malicious encrypt , release rear to WYSIWYG style , and show real on a internet site where plugin file cabinet are approachable for the WebSpellChecker Dialog . It is the foremost piece print by Drupal developer this class , and seven flourish of tribute plot of ground were put out in 2019 , cut across January , February , March , April , May , July , and December . Although Drupal is not angstrom unit strong-growing as WordPress , some of the beleaguer get hold in Recent epoch long time have been put-upon to highjack website at some stagecoach .