CVE-2025-62871 MEDIUM

CVE-2025-62871: WordPress Just TinyMCE Custom Styles plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Alex Prokopenko / Justcoded

Product Just TinyMCE Custom Styles

Weakness CWE-352 · CSRF

Published December 9, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through <= 1.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

Just TinyMCE Custom Styles versions up to 1.2.1 are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions within the plugin without the admin's knowledge or consent. The vulnerability requires the victim to visit the attacker's page while authenticated to the WordPress site.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions in the plugin on behalf of a logged-in administrator without their consent.

Potential impact on your site

04Site Impact

An attacker could modify plugin settings or styles by tricking an admin into visiting a malicious link while logged in.

Conditions required to exploit

05Prerequisites

Administrator must be logged into WordPress and visit an attacker-controlled webpage.

Key dates

06Disclosure timeline

December 9, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62871 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

Identifiers

CVE CVE-2025-62871

CWE CWE-352

CVSS 4.3 / MEDIUM

Affected versions