Stored XSS Vulnerability Discovered In CKEditor4: CVE-2021-33829 / CX-2021-4791


Severity: 6.1 - Medium Severity

Advisory Timeline Summary
CKEditor4 prior to version 4.16.1 is vulnerable to stored XSS.


CKEditor4 prior to 4.16.1


CKEditor 4 is commonly used and may affect a variety of environments, such as blogs, content management systems, and other websites that accept rich text content from users. Successful exploitation of the vulnerability leads to arbitrary web script injection. The impact depends on where the plugin is used. It may lead to account takeover, credential stealing, sensitive data exposure, etc.

Steps To Reproduce

  1. Click the source button in CKEditor 4
  2. Paste the following payload:
Xss<!--{cke{cke_protected}_protected} --!><img src=1 onerror=alert(`XSS`)> Attack
  1. Click the source button again to return to the regular editor.

Expected Result:

The browser pops an alert


This issue was fixed in version 4.16.1 through the commit.


Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: Required

Scope: Changed

Confidentiality: Low

Integrity: Low

Availability: None


This issue was discovered and reported by Checkmarx Security Researcher Or Sahar.


  1. Commit (cae2031)