Description
Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing attackers to trigger privileged actions on behalf of authenticated users
Action: Immediate Patch
AI Analysis

Impact

The Revision Manager TMC plugin for WordPress is impacted by a Cross‑Site Request Forgery (CWE‑352) flaw. The flaw allows an attacker to cause an authenticated WordPress user to unknowingly send requests that invoke privileged plugin actions, such as creating or altering revision data. Based on the description, it is inferred that an attacker could manipulate or delete revision content, thereby compromising the integrity of the site’s content management. No remote code execution is possible without a separate vulnerability.

Affected Systems

Vulnerable systems are those running the themastercut Revision Manager TMC WordPress plugin version 2.8.22 or earlier. These affected releases span all revisions up to and including 2.8.22, with no further version boundary specified.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS of < 1% suggests exploitation likelihood is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the CSRF nature of the flaw, it is inferred that the attack vector would involve a malicious link or page that submits a forged request to the plugin over the victim’s authenticated session. Successful exploitation would allow the attacker to perform authorized actions without needing direct access to the administrative interface.

Generated by OpenCVE AI on April 16, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Revision Manager TMC plugin to a version that includes CSRF protection.
  • If an immediate upgrade is not possible, add CSRF safeguards such as a nonce or validate the Origin/Referer headers on state‑changing endpoints to mitigate forged requests.
  • Ensure that the WordPress installation uses secure authentication practices, including two‑factor authentication, to limit the impact of a compromised session.

Generated by OpenCVE AI on April 16, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themastercut
Themastercut revision Manager Tmc
Wordpress
Wordpress wordpress
Vendors & Products Themastercut
Themastercut revision Manager Tmc
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22.
Title WordPress Revision Manager TMC plugin <= 2.8.22 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Themastercut Revision Manager Tmc
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:58.148Z

Reserved: 2026-02-02T12:53:19.001Z

Link: CVE-2026-25411

cve-icon Vulnrichment

Updated: 2026-02-19T18:41:41.988Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:22.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses