How ZeroPath Works
Back to Blog

TextBuilder WordPress Plugin CVE-2025-9213: Brief Summary of a High-Severity CSRF Vulnerability

This post offers a brief summary of CVE-2025-9213, a critical Cross-Site Request Forgery vulnerability in the TextBuilder WordPress plugin (versions 1.0.0 to 1.1.1). We focus on the technical mechanism, affected versions, and vendor context based on public sources. No patch or detection guidance is included as none is currently available.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-03

TextBuilder WordPress Plugin CVE-2025-9213: Brief Summary of a High-Severity CSRF Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can take over WordPress administrator accounts by exploiting a flaw in the TextBuilder plugin's authentication workflow. This vulnerability allows unauthorized changes to user credentials if an administrator is tricked into clicking a malicious link or visiting a crafted page. The impact is immediate: password and email address changes are possible without any authentication on the attacker's part.

TextBuilder is an AI-powered content creation plugin for WordPress, developed by TextBuilder.ai. With over 5,000 active installations, it is widely used by site owners seeking automated content solutions. The plugin integrates with external AI services and has seen rapid adoption since its release.

Technical Information

CVE-2025-9213 is a Cross-Site Request Forgery vulnerability affecting the TextBuilder WordPress plugin in versions 1.0.0 through 1.1.1. The root cause is missing or incorrect nonce validation in the handleToken function. WordPress nonces are intended to ensure that sensitive actions are performed only by legitimate users, by requiring a unique token to be included and verified with each request. In this case, the plugin either omits nonce validation or implements it incorrectly, leaving the endpoint open to CSRF attacks.

An attacker can craft a malicious request to the vulnerable endpoint and deliver it to a logged-in administrator via social engineering. If the administrator interacts with the malicious content while authenticated, the attacker's request is processed with the administrator's privileges. The attack does not require the attacker to be authenticated. Once the forged request is accepted, the attacker's supplied authorization token is set for the targeted user. This enables subsequent changes to the user's password and email address, resulting in a full account takeover scenario.

No public code snippets for the vulnerable function have been released. The vulnerability is present in all plugin installations running versions 1.0.0 through 1.1.1.

Affected Systems and Versions

  • Product: TextBuilder WordPress plugin
  • Affected versions: 1.0.0, 1.1.0, 1.1.1
  • All configurations of these versions are vulnerable

Vendor Security History

TextBuilder.ai has not previously had public vulnerabilities reported in the WordPress plugin repository. The plugin was closed as of September 30, 2025, pending a full security review. The rapid release cycle and integration with external AI services may have contributed to the oversight in nonce validation. There is no public record of prior security advisories or patch response metrics for this vendor.

References

Detect & fix
what others miss

Get startedBook a demo