平台
wordpress
组件
just-tinymce-styles
修复版本
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Just TinyMCE Custom Styles, a WordPress plugin developed by Alex Prokopenko. This flaw allows an attacker to perform unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.2.1. A patch is expected to be released by the vendor.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to unauthorized modification of plugin settings, potentially impacting the functionality and appearance of the website. While the direct impact might seem limited, a compromised plugin could be leveraged as a stepping stone for further attacks, especially if the plugin interacts with sensitive data or other systems. The attacker could, for example, alter custom styles to inject malicious code or redirect users to phishing sites.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of CSRF exploitation and the plugin's popularity.
Websites using Just TinyMCE Custom Styles plugin, particularly those with user accounts and custom style configurations, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable until the plugin is updated.
• wordpress / composer / npm:
grep -r 'just-tinymce-styles/index.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep 'Just TinyMCE Custom Styles'• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of Just TinyMCE Custom Styles as soon as it becomes available. Until the patch is released, consider implementing strict input validation and output encoding within the plugin's code to reduce the attack surface. Additionally, employing a Content Security Policy (CSP) can help prevent the browser from executing malicious scripts injected via CSRF. Regularly review user permissions and restrict access to sensitive plugin settings.
目前没有已知的补丁。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-62871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Just TinyMCE Custom Styles WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Just TinyMCE Custom Styles version 0.0.0 through 1.2.1. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and consider a Content Security Policy (CSP).
There are currently no confirmed reports of active exploitation, but the vulnerability is considered medium risk.
Check the plugin's official website or WordPress plugin repository for updates and security advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。