Description
The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-03-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch now
AI Analysis

Impact

The tagDiv Composer plugin for WordPress contains a reflected cross‑site scripting flaw that permits unauthenticated attackers to inject user‑controlled scripts via the 'account_id' and 'account_username' parameters. These parameters are exposed in the URL and the plugin fails to apply proper input sanitization or output escaping. The flaw allows an attacker to embed arbitrary scripts that will run in the victim's browser when the user clicks a crafted link or visits a malicious URL, leading to theft of credentials, session hijacking or malicious content injection. The weakness is a classic input validation flaw (CWE‑79).

Affected Systems

This vulnerability affects all releases of the tagDiv Composer plugin up to and including version 5.3. The plugin is commonly bundled with the Newspaper theme on WordPress sites. Users running any of these versions are exposed to the flaw unless they update to a patched release beyond 5.3.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score of less than 1 percent shows a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalogue. Attackers can trigger the exploit by delivering a crafted URL containing malicious payloads in the 'account_id' or 'account_username' parameters and luring a user to click it. Successful exploitation would only affect the victim’s browser session and does not allow direct code execution on the server.

Generated by OpenCVE AI on April 21, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the tagDiv Composer plugin to the latest version released after 5.3, which removes the unsanitized input handling.
  • If an immediate upgrade is not possible, disable the 'account_id' and 'account_username' query parameters on the affected pages by removing or sanitizing them in the theme or via custom code.
  • Consider disabling the tagDiv Composer plugin entirely until a patch is applied, and review any custom scripts that interact with these parameters for proper escaping.

Generated by OpenCVE AI on April 21, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15098 The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title tagDiv Composer <= 5.3 - Reflected Cross-Site Scripting via 'account_id' and 'account_username'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:48.636Z

Reserved: 2025-03-25T21:34:03.548Z

Link: CVE-2025-2804

cve-icon Vulnrichment

Updated: 2025-03-28T14:35:54.093Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T06:15:34.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')