Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable reflected XSS needs no privileges but requires victim interaction (UI:R); DOM execution in another security context yields S:C with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
AnalysisAI
Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to lure an authenticated or otherwise targeted user into clicking a crafted link or visiting an attacker-controlled page (UI:R) that supplies a malicious value to the vulnerable tagDiv Composer request parameter; the payload is reflected, so it is not stored and must be delivered per-victim. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, and no privileges required, but exploitation requires user interaction (UI:R) - the victim must click a malicious link or visit an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting the vulnerable tagDiv Composer parameter with an embedded JavaScript payload and delivers it to a logged-in site administrator or editor via phishing email or a malicious page. When the victim clicks the link, the payload reflects into the response and executes in their browser under the site's origin, letting the attacker run actions in the victim's authenticated session such as reading page content or triggering privileged operations. … |
| Remediation | Upgrade tagDiv Composer to a release later than 5.4.3 once the vendor publishes a fixed build; the input data does not specify an exact patched version, so no vendor-released patch version is independently confirmed at time of analysis - monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the tagDiv theme update channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all WordPress installations using tagDiv Composer plugin and either completely disable it if functionality is non-critical, or immediately restrict access to the WordPress wp-admin directory to known IP addresses and authenticated users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tagdiv Composer
View allThe tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordP
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do
The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, do
Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).4. Rated hig
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attacker
The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting v
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ paramet
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module i
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43381