EUVD-2025-208860CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through 1.7.3.
Analysis
The tagDiv Opt-In Builder WordPress plugin versions up to and including 1.7.3 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. An attacker can exploit this by tricking a user into clicking a malicious link, allowing the execution of arbitrary JavaScript in the victim's browser within the context of the vulnerable site. This vulnerability has a CVSS score of 7.1 with network-based attack vector and low attack complexity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
Technical Context
This vulnerability affects the tagDiv Opt-In Builder WordPress plugin, which is used for creating email subscription forms and opt-in campaigns. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. Reflected XSS occurs when user-supplied data is immediately returned by a web application without proper validation or encoding, allowing malicious scripts to be executed in the victim's browser. The vulnerability was reported by Patchstack's audit team and tracked as EUVD-2025-208860 in the ENISA EU Vulnerability Database. The plugin fails to sanitize input parameters before rendering them in HTTP responses, enabling attackers to inject JavaScript payloads that execute when victims access specially crafted URLs.
Affected Products
The tagDiv Opt-In Builder WordPress plugin versions from an unspecified initial release through version 1.7.3 are affected by this reflected XSS vulnerability. The ENISA EU Vulnerability Database confirms the affected version range as tagDiv Opt-In Builder n/a through 1.7.3 under tracking ID EUVD-2025-208860. Detailed vulnerability information and vendor advisories are available through Patchstack's vulnerability database at https://patchstack.com/database/wordpress/plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability.
Remediation
Website administrators should immediately upgrade the tagDiv Opt-In Builder plugin to a version newer than 1.7.3 that addresses this reflected XSS vulnerability. Check the official WordPress plugin repository or the tagDiv vendor website for the latest patched version and apply the update through the WordPress admin dashboard. Until patching is feasible, consider temporarily disabling the plugin if it is not critical to operations, or implement Web Application Firewall (WAF) rules to filter suspicious query parameters and block common XSS attack patterns. Additionally, educate users about the risks of clicking untrusted links and implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability for specific technical details and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today