Description
Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems tinymce-advanced-qtranslate-fix-editor-problems allows Stored XSS.This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through <= 1.0.0.
Published: 2025-02-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery (CSRF) flaw in the Blackbam TinyMCE Advanced qTranslate fix editor problems plugin allows an attacker to force an authenticated user to submit a crafted request that stores malicious JavaScript in the WordPress editor. The stored payload is then executed in the browser context of any user who views the affected content, enabling session hijacking, data theft, or defacement. This weakness is categorized as CWE‑352.

Affected Systems

The vulnerability affects the TinyMCE Advanced qTranslate fix editor problems plugin from its initial release up through version 1.0.0. All installations of Blackbam’s plugin within that range are susceptible, regardless of the WordPress version they run on.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time. The exploit requires a target with permissions to edit content and the ability for the attacker to influence the CSRF request—an attacker could embed the request in a malicious page or email. Because the vulnerability leads to stored XSS, the potential impact includes compromising user sessions, leaking confidential data, and defacing sites. The plugin is not currently listed in the CISA KEV catalog, but the severity warrants proactive remediation.

Generated by OpenCVE AI on May 1, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TinyMCE Advanced qTranslate fix editor problems plugin to a version that removes the CSRF flaw, or uninstall the plugin if an update is unavailable.
  • If the plugin must remain in use, restrict editor access to a trusted set of users who have legitimate editing privileges, and verify that all form submissions include a valid CSRF token to prevent forged requests.
  • Deploy a web application firewall rule that blocks or sanitizes POST requests to the plugin’s editor endpoints to reduce the risk of stored XSS payloads from maliciously crafted traffic.

Generated by OpenCVE AI on May 1, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4233 Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems tinymce-advanced-qtranslate-fix-editor-problems allows Stored XSS.This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.00019}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00017}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0.
Title WordPress TinyMCE Advanced qTranslate fix editor problems plugin <= 1.0.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.262Z

Reserved: 2025-02-12T13:58:55.640Z

Link: CVE-2025-26582

cve-icon Vulnrichment

Updated: 2025-02-13T14:33:16.687Z

cve-icon NVD

Status : Deferred

Published: 2025-02-13T14:16:24.407

Modified: 2026-06-17T09:02:03.763

Link: CVE-2025-26582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)