Does TinyMCE Color Picker have any unpatched vulnerabilities?

No. All known vulnerabilities in TinyMCE Color Picker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is TinyMCE Color Picker compatible with WordPress 3.9.40?

According to WordPress.org data, TinyMCE Color Picker 1.3 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is TinyMCE Color Picker updated?

TinyMCE Color Picker was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is TinyMCE Color Picker's security score?

TinyMCE Color Picker has a WP-Safety security score of 84/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

TinyMCE Color Picker Security & Risk Analysis

wordpress.org/plugins/tinymce-colorpicker

This plugin adds and advanced color picker to the editor. You’ll have the ability to add custom colors with a color picker, a feature that has been re …

1K active installs v1.3 PHP + WP 3.9+ Updated Nov 28, 2017

color-pickertinymce

B · Generally Safe

CVEs total2

Unpatched0

Last CVEMay 1, 2014

Plugin page Download

Safety Verdict

Is TinyMCE Color Picker Safe to Use in 2026?

Mostly Safe

Score 84/100

TinyMCE Color Picker is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved. Keep it updated.

2 known CVEsLast CVE: May 1, 2014Updated 8yr ago

Risk Assessment

The 'tinymce-colorpicker' v1.3 plugin exhibits a mixed security posture. Static analysis reveals a very small attack surface with all identified entry points having authentication and capability checks in place, along with proper SQL and output escaping. This indicates good development practices regarding these common vulnerability vectors. However, the vulnerability history is a significant concern. The plugin has two known medium-severity vulnerabilities, specifically Cross-Site Request Forgery (CSRF) and Missing Authorization. While none are currently unpatched, the recurrence of these issues suggests potential weaknesses in how the plugin handles user input and permissions, even with the presence of nonce and capability checks. The outdated bundled TinyMCE library is a minor concern, though not necessarily exploitable in itself without further vulnerabilities.

Key Concerns

Known medium-severity CVEs (2)
Bundled outdated library: TinyMCE v1.3

Vulnerabilities

TinyMCE Color Picker Security Vulnerabilities

CVEs by Year

2 CVEs in 2014

2014

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2014-3845medium · 4.3Cross-Site Request Forgery (CSRF)

TinyMCE Color Picker < 1.2 - Cross-Site Request Forgery

May 1, 2014 Patched in 1.2 (3554d)

CVE-2014-3844medium · 5.3Missing Authorization

TinyMCE Color Picker <= 1.1 - Missing Authorization

Apr 28, 2014 Patched in 1.2 (3557d)

Code Analysis

Analyzed Mar 16, 2026

TinyMCE Color Picker Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE1.3

Attack Surface

TinyMCE Color Picker Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_tinymce_cp__update_optiontinymce-colorpicker.php:67

WordPress Hooks 4

actionmce_external_pluginstinymce-colorpicker.php:15

actionwp_enqueue_editortinymce-colorpicker.php:25

filtertiny_mce_before_inittinymce-colorpicker.php:37

filtermce_buttons_2tinymce-colorpicker.php:53

Maintenance & Trust

TinyMCE Color Picker Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedNov 28, 2017

PHP min version

Downloads19K

Community Trust

Rating100/100

Number of ratings21

Active installs1K

Alternatives

TinyMCE Color Picker Alternatives

Black Studio TinyMCE Widget

black-studio-tinymce-widget

100

The visual editor widget for WordPress.

200K No CVEs

AddQuicktag

addquicktag

This plugin makes it easy to add Quicktags to the html - and visual-editor.

100K No CVEs

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

post-and-page-builder

Post and Page Builder is a standalone plugin which adds functionality to the existing TinyMCE Editor.

60K 10 CVEs

TinyMCE Templates

tinymce-templates

TinyMCE Template plugin will enable to use HTML template on WordPress Visual Editor.

20K No CVEs

Visual Term Description Editor

visual-term-description-editor

Replaces the plain-text category and tag description editor with a visual editor.

20K No CVEs

Developer Profile

TinyMCE Color Picker Developer Profile

iseulde

1 plugin · 1K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

3556 days

View full developer profile

Detection Fingerprints

How We Detect TinyMCE Color Picker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tinymce-colorpicker/tinymce-colorpicker.js/wp-content/plugins/tinymce-colorpicker/tinymce-colorpicker.css

Script Paths

tinymce-colorpicker.js

HTML / DOM Fingerprints

JS Globals

tinymce_cp__mce_external_pluginstinymce_cp__wp_enqueue_editortinymce_cp__tiny_mce_before_inittinymce_cp__mce_buttons_2tinymce_cp__update_optiontinyMCEColorPicker

REST Endpoints

/wp-json/tinymce-colorpicker

FAQ