Primary

Context

TextBuilder WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Account Takeover

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TextBuilder plugin for WordPress, affecting versions 1.0.0 prior to 1.1.1. The issue arises from inadequate nonce validation in the 'handleToken' function, allowing unauthenticated attackers to manipulate a user's authorization token. Exploitation requires tricking a site administrator into clicking a link, which can then be used to change the user's password and email address.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user authorization tokens, leading to password and email address changes, and potentially allowing for unauthorized access to user accounts.

Remediation

Users are advised to update the TextBuilder WordPress plugin to version 1.2.0 or later.

Added: Oct 3, 2025, 12:25 PM

Updated: Oct 3, 2025, 12:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.7

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.7

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TextBuilder WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating