प्लेटफ़ॉर्म
wordpress
घटक
just-tinymce-styles
में ठीक किया गया
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Just TinyMCE Custom Styles, a WordPress plugin developed by Alex Prokopenko. This flaw allows an attacker to perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.2.1. A patch is expected to be released by the vendor.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to unauthorized modification of plugin settings, potentially impacting the functionality and appearance of the website. While the direct impact might seem limited, a compromised plugin could be leveraged as a stepping stone for further attacks, especially if the plugin interacts with sensitive data or other systems. The attacker could, for example, alter custom styles to inject malicious code or redirect users to phishing sites.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of CSRF exploitation and the plugin's popularity.
Websites using Just TinyMCE Custom Styles plugin, particularly those with user accounts and custom style configurations, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable until the plugin is updated.
• wordpress / composer / npm:
grep -r 'just-tinymce-styles/index.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep 'Just TinyMCE Custom Styles'• wordpress / composer / npm:
wp plugin update --alldisclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade to a patched version of Just TinyMCE Custom Styles as soon as it becomes available. Until the patch is released, consider implementing strict input validation and output encoding within the plugin's code to reduce the attack surface. Additionally, employing a Content Security Policy (CSP) can help prevent the browser from executing malicious scripts injected via CSRF. Regularly review user permissions and restrict access to sensitive plugin settings.
कोई ज्ञात पैच उपलब्ध नहीं है। कृपया भेद्यता के विवरण की गहराई से समीक्षा करें और अपने संगठन के जोखिम सहनशीलता के आधार पर शमन उपाय करें। प्रभावित सॉफ़्टवेयर को अनइंस्टॉल करना और एक प्रतिस्थापन खोजना सबसे अच्छा हो सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-62871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Just TinyMCE Custom Styles WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Just TinyMCE Custom Styles version 0.0.0 through 1.2.1. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and consider a Content Security Policy (CSP).
There are currently no confirmed reports of active exploitation, but the vulnerability is considered medium risk.
Check the plugin's official website or WordPress plugin repository for updates and security advisories.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।