Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through 1.7.3.
AnalysisAI
The tagDiv Opt-In Builder WordPress plugin versions up to and including 1.7.3 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. An attacker can exploit this by tricking a user into clicking a malicious link, allowing the execution of arbitrary JavaScript in the victim's browser within the context of the vulnerable site. This vulnerability has a CVSS score of 7.1 with network-based attack vector and low attack complexity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
Technical ContextAI
This vulnerability affects the tagDiv Opt-In Builder WordPress plugin, which is used for creating email subscription forms and opt-in campaigns. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. Reflected XSS occurs when user-supplied data is immediately returned by a web application without proper validation or encoding, allowing malicious scripts to be executed in the victim's browser. The vulnerability was reported by Patchstack's audit team and tracked as EUVD-2025-208860 in the ENISA EU Vulnerability Database. The plugin fails to sanitize input parameters before rendering them in HTTP responses, enabling attackers to inject JavaScript payloads that execute when victims access specially crafted URLs.
RemediationAI
Website administrators should immediately upgrade the tagDiv Opt-In Builder plugin to a version newer than 1.7.3 that addresses this reflected XSS vulnerability. Check the official WordPress plugin repository or the tagDiv vendor website for the latest patched version and apply the update through the WordPress admin dashboard. Until patching is feasible, consider temporarily disabling the plugin if it is not critical to operations, or implement Web Application Firewall (WAF) rules to filter suspicious query parameters and block common XSS attack patterns. Additionally, educate users about the risks of clicking untrusted links and implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability for specific technical details and remediation guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208860