Introduction
Attackers can take over WordPress administrator accounts by exploiting a flaw in the TextBuilder plugin's authentication workflow. This vulnerability allows unauthorized changes to user credentials if an administrator is tricked into clicking a malicious link or visiting a crafted page. The impact is immediate: password and email address changes are possible without any authentication on the attacker's part.
TextBuilder is an AI-powered content creation plugin for WordPress, developed by TextBuilder.ai. With over 5,000 active installations, it is widely used by site owners seeking automated content solutions. The plugin integrates with external AI services and has seen rapid adoption since its release.
Technical Information
CVE-2025-9213 is a Cross-Site Request Forgery vulnerability affecting the TextBuilder WordPress plugin in versions 1.0.0 through 1.1.1. The root cause is missing or incorrect nonce validation in the handleToken
function. WordPress nonces are intended to ensure that sensitive actions are performed only by legitimate users, by requiring a unique token to be included and verified with each request. In this case, the plugin either omits nonce validation or implements it incorrectly, leaving the endpoint open to CSRF attacks.
An attacker can craft a malicious request to the vulnerable endpoint and deliver it to a logged-in administrator via social engineering. If the administrator interacts with the malicious content while authenticated, the attacker's request is processed with the administrator's privileges. The attack does not require the attacker to be authenticated. Once the forged request is accepted, the attacker's supplied authorization token is set for the targeted user. This enables subsequent changes to the user's password and email address, resulting in a full account takeover scenario.
No public code snippets for the vulnerable function have been released. The vulnerability is present in all plugin installations running versions 1.0.0 through 1.1.1.
Affected Systems and Versions
- Product: TextBuilder WordPress plugin
- Affected versions: 1.0.0, 1.1.0, 1.1.1
- All configurations of these versions are vulnerable
Vendor Security History
TextBuilder.ai has not previously had public vulnerabilities reported in the WordPress plugin repository. The plugin was closed as of September 30, 2025, pending a full security review. The rapid release cycle and integration with external AI services may have contributed to the oversight in nonce validation. There is no public record of prior security advisories or patch response metrics for this vendor.