Plataforma
wordpress
Componente
just-tinymce-styles
Corrigido em
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Just TinyMCE Custom Styles, a WordPress plugin developed by Alex Prokopenko. This flaw allows an attacker to perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.2.1. A patch is expected to be released by the vendor.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to unauthorized modification of plugin settings, potentially impacting the functionality and appearance of the website. While the direct impact might seem limited, a compromised plugin could be leveraged as a stepping stone for further attacks, especially if the plugin interacts with sensitive data or other systems. The attacker could, for example, alter custom styles to inject malicious code or redirect users to phishing sites.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of CSRF exploitation and the plugin's popularity.
Websites using Just TinyMCE Custom Styles plugin, particularly those with user accounts and custom style configurations, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable until the plugin is updated.
• wordpress / composer / npm:
grep -r 'just-tinymce-styles/index.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep 'Just TinyMCE Custom Styles'• wordpress / composer / npm:
wp plugin update --alldisclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade to a patched version of Just TinyMCE Custom Styles as soon as it becomes available. Until the patch is released, consider implementing strict input validation and output encoding within the plugin's code to reduce the attack surface. Additionally, employing a Content Security Policy (CSP) can help prevent the browser from executing malicious scripts injected via CSRF. Regularly review user permissions and restrict access to sensitive plugin settings.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-62871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Just TinyMCE Custom Styles WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Just TinyMCE Custom Styles version 0.0.0 through 1.2.1. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and consider a Content Security Policy (CSP).
There are currently no confirmed reports of active exploitation, but the vulnerability is considered medium risk.
Check the plugin's official website or WordPress plugin repository for updates and security advisories.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.