The 4.4.3 release of ckeditor fixes a cross-site scripting (XSS) flaw in ckeditor:
This may be the fix:
The ckeditor and drupal7-ckeditor packages in Fedora and EPEL do not have this plug-in. The python-django-ckeditor packages look like they may be affected.
Created python-django-ckeditor tracking bugs for this issue:
Affects: fedora-all [bug 1139488]
Affects: epel-6 [bug 1139489]
Tried to request if this tracking bug can be closed since all dependent bugs have been closed, but received the following Bugzilla error:
> You can't ask Murray McAllister <email@example.com> because that account is disabled.
So, closing this bug.