Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution via XSS
Action: Immediate Patch
AI Analysis

Impact

A flaw in the tagDiv Composer plugin allows malicious scripts to be injected through improperly sanitized shortcodes. This basic cross‑site scripting weakness can be exploited to run arbitrary JavaScript when a page containing the affected shortcode is viewed. The vulnerability stems from a failure to neutralize script‑related HTML tags, making it a CWE‑80 type issue. Successful exploitation could enable defacement, data theft, or user session hijacking depending on the attacker’s objectives.

Affected Systems

WordPress sites that incorporate the tagDiv Composer plugin, specifically all releases from the earliest available version through 5.4.3. The issue applies to any installation of the plugin that does not enforce its default sanitization rules, which is common in stock configurations. Administrators should verify the plugin version and whether the shortcode feature is enabled.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity, while the exploit potential is considered low, as the referential probability is under 1 percent and it has not yet appeared in the Key Exploited Vulnerabilities catalog. The likely attack vector is remote web‑based input: an adversary can supply a crafted shortcode containing malicious script tags, which the plugin then renders unfiltered. In a successful scenario, the attacker would gain the ability to execute code within the context of the compromised site, potentially leading to defacement, data exfiltration, or further system compromise.

Generated by OpenCVE AI on April 8, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the tagDiv Composer plugin to version 5.4.4 or newer.
  • If an update is not yet possible, disable the shortcode feature or limit its use to trusted administrators only.
  • Verify that the WordPress theme or any custom code sanitizes all shortcode content before rendering.
  • Monitor server and application logs for unexpected script execution or injection attempts.
  • Check the vendor’s website and security advisories for any additional mitigations or patches.

Generated by OpenCVE AI on April 8, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Tagdiv
Tagdiv tagdiv Composer
Wordpress
Wordpress wordpress
Vendors & Products Tagdiv
Tagdiv tagdiv Composer
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
Title WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Tagdiv Tagdiv Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T13:11:52.383Z

Reserved: 2026-04-07T10:58:22.476Z

Link: CVE-2026-39712

cve-icon Vulnrichment

Updated: 2026-04-08T13:11:26.636Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:44.130

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:05Z

Weaknesses