Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.This issue affects tagDiv Composer: from n/a through <= 5.4.1.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that allows an attacker to inject arbitrary JavaScript into pages rendered by the tagDiv Composer plugin. The injected script runs in the context of the affected site, enabling cookie theft, session hijacking, defacement or malicious redirects for anyone who views the compromised page.

Affected Systems

All WordPress sites using tagDiv Composer plugin version 5.4.1 or earlier are affected. Site administrators should verify the installed plugin version and ensure it is updated to a secure release.

Risk and Exploitability

The CVSS base score of 7.1 denotes high severity. The EPSS score is below 1 %, indicating that exploitation attempts are infrequent and the vulnerability has not been widely leveraged. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness by inserting malicious input through the plugin’s content paths. Based on the description, it is inferred that privileged authentication is not required, which lowers the barrier to exploitation; however, the low EPSS suggests that sophisticated attackers may currently be targeting higher‑value platforms.

Generated by OpenCVE AI on April 29, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tagDiv Composer to the latest available version (5.4.2 or later).
  • If an upgrade is not immediately possible, sanitize existing plugin content by removing or escaping potentially malicious script tags.
  • Apply a robust Content Security Policy that blocks inline scripts and limits script loading to trusted origins.

Generated by OpenCVE AI on April 29, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tagdiv
Tagdiv composer
Wordpress
Wordpress wordpress
Vendors & Products Tagdiv
Tagdiv composer
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.This issue affects tagDiv Composer: from n/a through <= 5.4.1.
Title WordPress tagDiv Composer plugin <= 5.4.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Tagdiv Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:49:20.448Z

Reserved: 2025-10-07T15:34:20.407Z

Link: CVE-2025-62031

cve-icon Vulnrichment

Updated: 2025-11-06T18:10:59.401Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:09.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:15:15Z

Weaknesses