CVE-2025-50001 - Vulnerability Details

- WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.

Published: 2026-03-19

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An input validation flaw in the tagDiv Composer WordPress plugin allows attackers to embed malicious scripts that are reflected back in the page. The vulnerability is a classic reflected XSS (CWE‑79) and enables client‑side code execution, which can lead to session hijacking, data theft, or malicious site manipulation if a user visits a crafted URL or submits a covert form.

Affected Systems

All WordPress sites running the tagDiv Composer plugin up to and including version 5.4.2 are affected. Versions prior to the earliest release (i.e., any available installation of the plugin) are also vulnerable until the patch is applied. The issue does not apply to versions 5.4.3 and later.

Risk and Exploitability

The risk is moderated by the low likelihood of exploitation, with an indicated probability below 1%. Although the flaw is remotely exploitable via a crafted request, it requires the victim to visit or interact with a vulnerable page. It is not listed among the CISA Known Exploited Vulnerabilities catalog, indicating no known widespread exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tagDiv

tagDiv Composer

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.4.2

No data.

Vendor Product Confidence Versions

Tagdiv

Tagdiv Composer

100%

Version	Status	Scheme	Platform
`[0,5.4.2]`	affected	semver	—
`[5.4.3,*]`	unaffected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest tagDiv Composer update, version 5.4.3 or newer.
Confirm current plugin version and upgrade any installations older than 5.4.2.
If an update is not possible, disable or delete the tagDiv Composer plugin to remove the attack vector.
Deploy a web‑application firewall or security plugin that blocks reflected XSS input as a temporary protective measure.

Generated by OpenCVE AI on April 2, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through 5.4.2.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.
References	https://patchstack.com/database/wordpress/plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tagdiv Tagdiv tagdiv Composer Wordpress Wordpress wordpress
Vendors & Products		Tagdiv Tagdiv tagdiv Composer Wordpress Wordpress wordpress

Thu, 19 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through 5.4.2.
Title		WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Tagdiv Tagdiv Composer

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-19T08:07:39.900Z

Updated: 2026-04-01T15:55:56.480Z

Reserved: 2025-06-11T16:08:03.196Z

Link: CVE-2025-50001

Vulnrichment

Updated: 2026-03-19T13:43:10.907Z

NVD

Status : Awaiting Analysis

Published: 2026-03-19T09:16:15.683

Modified: 2026-04-01T17:25:29.490

Link: CVE-2025-50001

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:59:55Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object