On May 26, new versions of the popular Drupal software were released to fix a “moderately critical” cross-site scripting (XSS) vulnerability caused by an “error in parsing HTML” in the “third-party CKEditor library”. They further stated that “CKEditor 4.16.1 and later include the fix”.

The release notes for CKEditor 4.16.1, which was released on May 20, though make no mention of any security fix:

Fixed Issues:

• #4617: Fixed: Autocomplete is not accessible in inline editors.
• #4493: Fixed: The drop-down label does not reflect the current value of the drop-down.
• #1572: Fixed: A paragraph before or after a widget cannot be removed. Thanks to bunglegrind!
• #4301: Fixed: Pasted content is overwritten when pasted in an initially empty editor with the div Enter mode.
• #4351: Fixed: Incorrect values for RGBA/HSLA colors in Color Dialog.
• #4509: Fixed: Incorrect handling of drag & drop inside widgets and nested editables.
• #4611: [Android, iOS] Fixed: Incorrect hover styles for buttons in the toolbar on mobile devices.
• #4652: Fixed: Event data set to false is treated as an event cancelation.

It isn’t that CKEditor release notes don’t include mentions of those, as here is the beginning of the notes for the previous release, 4.16.0:

Security Updates:

• Fixed ReDoS vulnerability in the Autolink plugin.Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted URL-like text into the editor and press Enter or Space.
• Fixed ReDoS vulnerability in the Advanced Tab for Dialogs plugin.Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted text into the Styles dialog.

A member of the Drupal Security Team made clear that they were not referring to fixes in 4.16.0 as being in 4.16.1.

We asked CKEditor on Twitter about the discrepancy between the information from Drupal and them, but didn’t get a response.

Update: June 14, 2021

On June 7 CKEditor added the following information to a blog post about version 4.16.1:

As a part of the 4.16.1 release, we worked on improving the way the HTML parser handles HTML comments. The comment ending (--!>) was not correctly recognized as a proper comment end tag which made HTML in CKEditor 4 differ from what was expected by the HTML specification. After the release, it was discovered that this issue could also cause an XSS security vulnerability in the editor itself. We would like to thank Or Sahar (Checkmarx) for reporting this.

The fix introduced in version 4.16.1 covers this newly found vulnerability (reported as CVE-2021-33829) and thus updating your CKEditor 4 installation to version 4.16.1 is highly recommended.

The release notes have yet to be updated.

WordPress Plugins Running Outdated Versions of CKEditor

Doing a search through WPDirectory of all WordPress plugins in the Plugin Directory for a string from the main CKEditor file, we found that 50 plugins that appear to include the library and none of the plugins with 1,000 or more active installations have updated to the new version.

We have added a check to our Plugin Security Checker to warn if versions of CKEditor below 4.16.1 are in plugins being checked through that.