Platform
wordpress
Component
just-tinymce-styles
Fixed in
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Just TinyMCE Custom Styles, a WordPress plugin developed by Alex Prokopenko. This flaw allows an attacker to perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.2.1. A patch is expected to be released by the vendor.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to unauthorized modification of plugin settings, potentially impacting the functionality and appearance of the website. While the direct impact might seem limited, a compromised plugin could be leveraged as a stepping stone for further attacks, especially if the plugin interacts with sensitive data or other systems. The attacker could, for example, alter custom styles to inject malicious code or redirect users to phishing sites.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of CSRF exploitation and the plugin's popularity.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of Just TinyMCE Custom Styles as soon as it becomes available. Until the patch is released, consider implementing strict input validation and output encoding within the plugin's code to reduce the attack surface. Additionally, employing a Content Security Policy (CSP) can help prevent the browser from executing malicious scripts injected via CSRF. Regularly review user permissions and restrict access to sensitive plugin settings.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Just TinyMCE Custom Styles WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Just TinyMCE Custom Styles version 0.0.0 through 1.2.1. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and consider a Content Security Policy (CSP).
There are currently no confirmed reports of active exploitation, but the vulnerability is considered medium risk.
Check the plugin's official website or WordPress plugin repository for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.