Skip to main content

tagDiv Composer CVE-2026-57734

| EUVDEUVD-2026-43381 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable reflected XSS needs no privileges but requires victim interaction (UI:R); DOM execution in another security context yields S:C with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:41 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3.

AnalysisAI

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Deliver link to logged-in user
Exploit
Victim clicks, payload reflected in page
Execution
Script executes in victim's session
Impact
Hijack session or exfiltrate data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to lure an authenticated or otherwise targeted user into clicking a crafted link or visiting an attacker-controlled page (UI:R) that supplies a malicious value to the vulnerable tagDiv Composer request parameter; the payload is reflected, so it is not stored and must be delivered per-victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, and no privileges required, but exploitation requires user interaction (UI:R) - the victim must click a malicious link or visit an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting the vulnerable tagDiv Composer parameter with an embedded JavaScript payload and delivers it to a logged-in site administrator or editor via phishing email or a malicious page. When the victim clicks the link, the payload reflects into the response and executes in their browser under the site's origin, letting the attacker run actions in the victim's authenticated session such as reading page content or triggering privileged operations. …
Remediation Upgrade tagDiv Composer to a release later than 5.4.3 once the vendor publishes a fixed build; the input data does not specify an exact patched version, so no vendor-released patch version is independently confirmed at time of analysis - monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the tagDiv theme update channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations using tagDiv Composer plugin and either completely disable it if functionality is non-critical, or immediately restrict access to the WordPress wp-admin directory to known IP addresses and authenticated users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-3477 CRITICAL POC
9.8 Nov 14

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordP

CVE-2023-3169 MEDIUM POC
6.1 Sep 11

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do

CVE-2024-3813 HIGH
8.8 Jun 15

The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8

CVE-2023-3170 MEDIUM POC
4.8 Sep 11

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do

CVE-2023-39166 HIGH
7.1 Nov 13

Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).4. Rated hig

CVE-2026-39692 MEDIUM
6.5 Apr 08

Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attacker

CVE-2025-2806 MEDIUM
6.1 May 08

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting v

CVE-2024-5212 MEDIUM
6.1 Aug 31

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet

CVE-2024-3886 MEDIUM
6.1 Aug 31

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet

CVE-2024-3814 MEDIUM
5.5 Jun 15

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module i

CVE-2026-39712 MEDIUM
5.3 Apr 08

Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote

Share

CVE-2026-57734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy