EUVD-2025-208858

| CVE-2025-50001 HIGH
2026-03-19 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2025-208858
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

Tags

XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through 5.4.2.

Analysis

tagDiv Composer, a WordPress plugin used by tagDiv themes, contains a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. Versions up to and including 5.4.2 are affected. The vulnerability requires user interaction (victim must click a malicious link) but can be exploited remotely without authentication, making it a moderate-severity threat with a CVSS score of 7.1.

Technical Context

This vulnerability stems from improper neutralization of input during web page generation (CWE-79), commonly known as cross-site scripting. The tagDiv Composer plugin fails to properly sanitize user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject arbitrary JavaScript or HTML code. The reflected XSS variant means the malicious payload is not stored on the server but instead transmitted through crafted URLs or form submissions. The affected product is identified as tagDiv Composer for WordPress, a page builder component often bundled with tagDiv themes. The vulnerability was reported by Patchstack's security audit team and assigned ENISA EUVD ID EUVD-2025-208858.

Affected Products

tagDiv Composer plugin for WordPress versions from the initial release through version 5.4.2 are confirmed vulnerable. The vulnerability affects WordPress sites using tagDiv themes that include the tagDiv Composer page builder component. According to the ENISA EUVD record (EUVD-2025-208858), all versions up to and including 5.4.2 should be considered affected. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/wordpress/plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Remediation

Upgrade tagDiv Composer to a version newer than 5.4.2 as soon as the vendor releases a patched version, monitoring the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for update notifications. As an interim mitigation, implement web application firewall (WAF) rules to detect and block XSS attack patterns in URL parameters and form submissions, enable Content Security Policy (CSP) headers to restrict script execution to trusted sources, and educate users about the risks of clicking untrusted links. Consider restricting access to WordPress administrative interfaces to trusted IP ranges and implementing additional input validation at the web server or reverse proxy level until the vendor patch is applied.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-208858 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy