Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config tinymce-extended-config allows Reflected XSS.This issue affects TinyMCE Extended Config: from n/a through <= 0.1.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows reflected XSS via the TinyMCE Extended Config WordPress plugin. This weakness (CWE‑79) permits an attacker to inject and execute arbitrary JavaScript in a visitor’s browser, enabling defacement, cookie theft, session hijacking, or execution of other malicious actions in the context of the site.

Affected Systems

The vulnerability affects the willshouse TinyMCE Extended Config plugin for WordPress. Versions from the earliest release up to and including 0.1.0 are vulnerable. No patched versions are noted in the supplied data.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity issue, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw through user‑controllable input fields that the plugin reflects back in the generated page. If the plugin is accessible to unauthenticated users, the risk extends to all visitors; if only administrators can use the plugin, the scope is limited to the site-backend environment. Given the nature of XSS attacks, the compromise could be both immediate and persistent, depending on how the vulnerability is leveraged.

Generated by OpenCVE AI on May 1, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TinyMCE Extended Config to a version newer than 0.1.0 to remove the reflected XSS flaw.
  • If an immediate update is not feasible, deactivate or uninstall the plugin to eliminate the vulnerable code path.
  • After remediation, audit the site for any residual malicious scripts that may have been injected via the plugin and cleanse or discard affected content.

Generated by OpenCVE AI on May 1, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5767 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config allows Reflected XSS. This issue affects TinyMCE Extended Config: from n/a through 0.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config allows Reflected XSS. This issue affects TinyMCE Extended Config: from n/a through 0.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config tinymce-extended-config allows Reflected XSS.This issue affects TinyMCE Extended Config: from n/a through <= 0.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config allows Reflected XSS. This issue affects TinyMCE Extended Config: from n/a through 0.1.0.
Title WordPress TinyMCE Extended Config plugin <= 0.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:53:17.279Z

Reserved: 2025-01-16T11:24:23.108Z

Link: CVE-2025-23439

cve-icon Vulnrichment

Updated: 2025-03-03T20:13:38.356Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:35.047

Modified: 2026-06-17T08:54:22.790

Link: CVE-2025-23439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')