A Cross‑Site Request Forgery flaw exists in the Just TinyMCE Custom Styles WordPress plugin when its version is 1.2.1 or older. The vulnerability allows an attacker to trick a legitimate user into performing unintended actions via forged HTTP requests. The CVE description indicates a CSRF vulnerability, which is inferred to arise from a missing anti‑CSRF token, aligning with CWE‑352. The impact is limited to actions that the victim is authorized to perform; an attacker could, for example, cause content changes or activate plugin settings without explicit consent. This poses a moderate confidentiality and integrity risk for the targeted site, but it does not directly allow code execution or system compromise.

WordPress sites that have installed the Just TinyMCE Custom Styles plugin by Alex Prokopenko / JustCoded, version 1.2.1 or earlier. No additional product or version details are supplied by the CNA, and a vulnerable instance exists as soon as the plugin is in use on the site. Sites running newer versions or without the plugin are not affected.

The CVSS score of 4.3 indicates the bug is considered low‑to‑moderate severity. The EPSS score of less than 1% further suggests that exploitation probability is very low. The vulnerability is not listed in the CISA KEV catalog. A likely attack vector would be a user visiting a specially crafted page or an attacker sending a crafted link to a logged‑in administrator, thereby forcing a state‑changing request. No specific authentication or privilege escalation is required beyond the normal user session that delivers the forged request.