CVE-2025-62871

The Just TinyMCE Custom Styles WordPress plugin, developed by Alex Prokopenko / JustCoded, contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.1. The plugin fails to implement proper CSRF tokens or other validation mechanisms on state-changing requests, allowing an attacker to craft malicious requests that appear-valid requests that are indistinguishable from legitimate ones [1].

Exploitation requires user interaction: a privileged user (such as an administrator must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress site. The attacker does not need any special privileges themselves, but the victim must have sufficient permissions to perform the targeted action [1].

Successful exploitation could allow a malicious actor to force the victim to execute unwanted actions under their current authentication, such as modifying plugin settings, adding or removing custom styles, or performing other administrative operations without the victim's consent. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

As an immediate mitigation, users should update the plugin to a patched version if available. If updating is not possible, administrators are advised to contact their hosting provider or web developer for assistance. No workaround is provided in the advisory [1].