Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is improper neutralization of input during web page generation, allowing a DOM‑based XSS attack. The flaw can be exploited to inject malicious JavaScript that runs in the victim’s browser, leading to data theft, credential compromise or defacement. It is a classic input sanitization failure, identified as CWE‑79."

Affected Systems

Any WordPress installation that uses the tagDiv Composer plugin version 5.4.2 or earlier is affected. The plugin is a common theme‑builder component, so a wide range of sites that have not upgraded past 5.4.2 are at risk."

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS rating of less than 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The attack can be carried out from a malicious link or user input, requires no special privileges, and would affect the victim’s browser session only."

Generated by OpenCVE AI on April 30, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tagDiv Composer to a version newer than 5.4.2
  • If an upgrade is not immediately possible, disable or delete the plugin until a patch is released
  • Implement a web application firewall rule or Content Security Policy that blocks or sanitizes injected scripts

Generated by OpenCVE AI on April 30, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tagdiv
Tagdiv composer
Wordpress
Wordpress wordpress
Vendors & Products Tagdiv
Tagdiv composer
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.
Title WordPress tagDiv Composer plugin <= 5.4.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Tagdiv Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:15.858Z

Reserved: 2025-06-11T16:08:11.572Z

Link: CVE-2025-50005

cve-icon Vulnrichment

Updated: 2026-01-26T21:58:55.266Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:57.017

Modified: 2026-04-27T16:16:27.847

Link: CVE-2025-50005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses