# Exploit Title: iframe Injection\Html Injection TinyMCE 5 HTML WYSIWYG
# Date:18.10.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.tiny.cloud/features/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/10/iframehtml-injection-tinymce-5-html.html

PoC:

We have iframe and html injection in TinyMCE 5.

Iframe allow in the TinyMCE:

https://www.tiny.cloud/docs/advanced/security/

I wrote to support TinyMCE with this question and got a helpful answer:

If you wish to disallow this, you can set invalid_elements: 'iframe'
in the parameters object passed to the tinymce.init function. (c)

I use for example demo TinyMCE and Plone Cms with TinyMCE.

Our iframe and html injection on the demo:

Insert - Media - Embed - our iframe code or html.

In the demo Plone Cms:

Insert - Image - Caption - our iframe code or html.

We can also inject code into the Table.

If a simple user can inject his code into these fields, then he can
use it for phishing,deface and other things.

Picture:

https://imgur.com/a/IM6PBQh

Iframe injection video:

https://www.youtube.com/watch?v=KHbhD_zmWcI&feature=youtu.be

Html injection video :

https://www.youtube.com/watch?v=IoR89uQcbGc&feature=youtu.be

I did another interesting test.

I used for test www.project.co in "Discussion", because they use
TinyMCE. On the demo panel we have simple editor without
media,pictures and table. You have limited options.

Picture:
https://imgur.com/a/SGdLhbJ

But we can try use method POST. This works in the 70%. In the example
we will use the div tag and attributes for tag.

Video:
https://www.youtube.com/watch?v=wswNNxdorlY