by David Snopek on January 5, 2022 - 5:44pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Wysiwyg module to fix a Cross Site Scripting (XSS) vulnerability.

The Wysiwyg module provides one way to integrate various WYSIWYG editors into Drupal.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the Wysiwyg module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on

Want to read more articles like this?


Subscribe to the blog and recieve e-mail updates when new articles are published!


I tried to submit a nes issue, but for some reason (I was logged in) the submit doesn't word.

I just insalled wysiwyg 2.11 and got this error:
Call to undefined function db_delete() in /xxx/public_html/sites/all/modules/wysiwyg/wysiwyg.install

Yes, we noticed this too when deploying to our customers. However, it will only prevent this particular update hook running during update.php or 'drush updb' - any proceeding update hooks will complete successfully, and the site should work fine otherwise. We're going to release a new version fixing the update hook soon.

This is fixed in a new 6.x-2.12 release: