The richtexteditor Rich Text Editor versions up to 1.0.1 contain a CSRF vulnerability that enables stored XSS attacks. This means an attacker can trick an authenticated user into submitting a forged request that results in malicious script being stored and executed in the context of the application. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability. No patch or official fix has been referenced in the available data.

Successful exploitation of this vulnerability could allow an attacker to execute stored malicious scripts in the context of the vulnerable application, potentially leading to session hijacking, data theft, or other malicious actions within the scope of the affected application. The vulnerability requires user interaction and can be exploited remotely without privileges. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and validating user input to mitigate the risk of stored XSS. Monitoring for suspicious activity related to the Rich Text Editor is advisable. Avoid using vulnerable versions if possible.