WP-Safety

Just TinyMCE Custom Styles Security & Risk Analysis

wordpress.org/plugins/just-tinymce-styles

Adds dropdown options for custom css classes and attributes for tags in WordPress TinyMCE Editor.

2K active installs v1.2.1 PHP + WP 4.3+ Updated Aug 14, 2020
custom-styleseditorlink-classstylestinymce
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEDec 8, 2025
Download
Safety Verdict

Is Just TinyMCE Custom Styles Safe to Use in 2026?

Use With Caution

Score 63/100

Just TinyMCE Custom Styles has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 8, 2025Updated 5yr ago
Risk Assessment

The "just-tinymce-styles" plugin exhibits a concerning security posture, primarily due to its unprotected AJAX handler and a history of vulnerabilities, including a currently unpatched medium severity CVE.

The static analysis reveals a small attack surface, but the presence of a single unprotected AJAX handler is a significant weakness. While the plugin utilizes prepared statements for its SQL queries, its output escaping is notably poor, with only 31% of outputs being properly escaped, indicating a potential for cross-site scripting (XSS) vulnerabilities. The use of the `unserialize` function is also a red flag, especially when combined with potentially untrusted data, which could lead to remote code execution.

The plugin's vulnerability history is problematic. The fact that it has a known CVE that remains unpatched is a direct indication of ongoing risk. The mention of Cross-Site Request Forgery (CSRF) as a common vulnerability type in the past, coupled with the unprotected AJAX handler, suggests a potential for attackers to trick users into performing unwanted actions. While the taint analysis did not reveal any explicit unsanitized paths, the other indicators are sufficient to warrant caution. Overall, the plugin demonstrates some good practices like using prepared statements but is severely undermined by unpatched vulnerabilities, unprotected entry points, and insecure coding practices like `unserialize` and poor output escaping.

Key Concerns

  • Unprotected AJAX handler
  • Unpatched medium severity CVE
  • Dangerous function unserialize
  • Low output escaping percentage
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
1

Just TinyMCE Custom Styles Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-62871medium · 4.3Cross-Site Request Forgery (CSRF)

Just TinyMCE Custom Styles <= 1.2.1 - Cross-Site Request Forgery

Dec 8, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Just TinyMCE Custom Styles Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
11
5 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$value = @unserialize($value);core\DBDataLayer.php:26

Bundled Libraries

TinyMCE

Output Escaping

31% escaped16 total outputs
Attack Surface
1 unprotected

Just TinyMCE Custom Styles Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_jtmce_editor_csscomponents\TinyMceExt.php:20
WordPress Hooks 10
filtermce_buttons_2components\TinyMceExt.php:16
filtertiny_mce_before_initcomponents\TinyMceExt.php:17
filtermce_csscomponents\TinyMceExt.php:19
actionadmin_menucontrollers\FormatsController.php:18
actionadmin_initcontrollers\FormatsController.php:21
actionadmin_initcontrollers\FormatsController.php:22
actionadmin_menucontrollers\PresetsController.php:17
actionadmin_menucontrollers\SettingsController.php:17
actionjtmce_print_admin_noticecore\Model.php:61
actionjtmce_print_admin_noticecore\Model.php:75
Maintenance & Trust

Just TinyMCE Custom Styles Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedAug 14, 2020
PHP min version
Downloads20K

Community Trust

Rating96/100
Number of ratings6
Active installs2K
Alternatives

Just TinyMCE Custom Styles Alternatives

Block Responsive – Make Editor Blocks Responsive Easily

Block Responsive – Make Editor Blocks Responsive Easily

block-responsive

A
100

Transform any WordPress block into a fully responsive element with device-specific controls for mobile, tablet, and desktop optimization.

300 No CVEs
Crazy Pills

Crazy Pills

crazy-pills

A
85

Build buttons, boxes, beautiful lists, and highlight text right from your editor, with live preview.

100 No CVEs
Super Blocks CSS – Custom CSS for Gutenberg Blocks

Super Blocks CSS – Custom CSS for Gutenberg Blocks

super-custom-css

A
92

Add custom CSS to your Gutenberg blocks directly from the block editor.

50 No CVEs
Block Style Modifiers

Block Style Modifiers

block-style-modifiers

A
100

Add multiple block styles to Gutenberg blocks with ease.

20 No CVEs
Child Theme Configurator

Child Theme Configurator

child-theme-configurator

A
100

When using the Customizer is not enough - Create a child theme from your installed themes and customize styles, templates, functions and more.

300K No CVEs
Developer Profile

Just TinyMCE Custom Styles Developer Profile

Alex Prokopenko / JustCoded

5 plugins · 3K total installs

79
trust score
Avg Security Score
79/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Just TinyMCE Custom Styles

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/just-tinymce-styles/assets/js/jcforms-multifield.js/wp-content/plugins/just-tinymce-styles/assets/css/jcforms-multifield.css
Script Paths
/wp-content/plugins/just-tinymce-styles/assets/js/jcforms-multifield.js

HTML / DOM Fingerprints

CSS Classes
jc-multifield-addjc-multifield-removejc-multifield-wrapperjc-multifield-itemjc-multifield-field
Data Attributes
data-jtmce-field-id
JS Globals
jtmce
FAQ

Frequently Asked Questions about Just TinyMCE Custom Styles