Description
The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation within the td_ajax_get_views AJAX action. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Now
AI Analysis

Impact

The tagDiv Composer plugin for WordPress contains a Cross‑Site Request Forgery flaw in the td_ajax_get_views AJAX action. Because the plugin omits correct nonce validation, an unauthenticated attacker can build a forged request that, if a site administrator unknowingly triggers it, injects arbitrary JavaScript that is stored on the site. The resulting stored XSS can allow the attacker to hijack the administrator’s session, deface content, or exfiltrate sensitive information. The weakness is a classic input‑validation flaw, classified as CWE‑79.

Affected Systems

WordPress installations running tagDiv Composer versions 5.3 or earlier are affected; the flaw exists in the core Composer plugin that is commonly bundled with themes such as Newspaper. Any site that has not applied a newer Composer release is vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is below 1 %, suggesting rare exploitation, and the vulnerability is not listed in CISA KEV. Attackers need to trick an authenticated administrator into visiting a crafted URL to activate the CSRF request, implying a social‑engineering prerequisite rather than network‑level access. The risk remains moderate but could be elevated in high‑value sites where admins are frequently targeted.

Generated by OpenCVE AI on April 22, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update tagDiv Composer to the latest version that includes correct nonce validation (any release newer than 5.3).
  • If an update is not immediately available, remove or restrict access to the td_ajax_get_views AJAX action for non‑admin users or disable the plugin entirely until patched.
  • Enhance site security by enforcing stringent strict‑mode content‑security policies that block inline scripts and by using a web‑application firewall to detect and block malicious CSRF attempts.

Generated by OpenCVE AI on April 22, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8559 The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation within the td_ajax_get_views AJAX action. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 28 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation within the td_ajax_get_views AJAX action. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title tagDiv Composer <= 5.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Tagdiv Tagdiv Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:32.192Z

Reserved: 2025-02-25T23:40:03.384Z

Link: CVE-2025-1705

cve-icon Vulnrichment

Updated: 2025-03-28T13:54:57.236Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T09:15:13.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses