Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
AnalysisAI
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.
Technical ContextAI
The vulnerability exists in the tagDiv Composer plugin, a WordPress page builder tool (CPE: cpe:2.3:a:tagdiv:tagdiv_composer), and stems from improper neutralization of user input during web page generation (CWE-79: Improper Neutralization of Input During Web Page Generation). This is a classic stored XSS flaw where attacker-controlled data is persisted in the database without adequate sanitization or encoding, then reflected to other users without proper output encoding. The attack vector is network-based, requires low privileges (PR:L), and needs user interaction to trigger, indicating the vulnerability exists in an authenticated context where a low-privileged user (e.g., contributor or editor) can save malicious content that executes when administrators or other users view the affected page.
RemediationAI
Upgrade tagDiv Composer to a version released after 5.4.3. Users should access the WordPress plugin dashboard, navigate to Plugins, locate tagDiv Composer, and click 'Update' if a newer version is available. If a fixed version newer than 5.4.3 has been released by tagDiv, apply that update immediately. Until a patch is deployed, restrict editing capabilities in WordPress to trusted administrators only by adjusting user role permissions to limit contributor and editor access to page composition features. For detailed advisory information and confirmation of the patched version, refer to the Patchstack security database entry at https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve and the NVD CVE details at https://nvd.nist.gov/vuln/detail/CVE-2026-39692.
More in Tagdiv Composer
View allThe tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordP
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do
The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do
Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).4. Rated hig
Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote
The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting v
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module i
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20387
GHSA-q9m3-vf6j-c5mf