CKEditor shows warning message about being insecure

The editor used by phplist, CKEditor 4, has recently started to display a warning about being insecure and recommending upgrading to either CKEditor 5 or using the (paid-for) long term support version. This is a valid warning and should not be totally ignored.
image

CKEditor 4 became end-of-life in June 2023 which means it has had no further updates or security fixes since then. They have a blog post about the implications CKEditor 4 end of life | CKEditor and a GitHub issue Important update for CKEditor 4 Users · Issue #5519 · ckeditor/ckeditor4 · GitHub

But the way CKEditor is used by phplist is a bit different to other uses. In many cases CKEditor is used by one or only a small number of phplist administrators who are generally going to be trusted in what they do. In a more general use of CKEditor, such as a contact form or something similar, it might be used by anonymous people with malicious intent.

The phplist CKEditor plugin has been upgraded to disable the warning. You can upgrade the CKEditor plugin to version 2.7.1 on the Manage Plugins page

If the CKEditor plugin has an Update button then click that,

otherwise copy/paste this into the the Plugin package URL input field

https://github.com/bramley/phplist-plugin-ckeditor/archive/master.zip

Then use the last free version of CKEditor 4. On the Settings page change the URL to include version 4.22.1

image

2 Likes