Skip to main content

EUVDEUVD-2025-208860

| CVE-2025-53222 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2025-208860
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through 1.7.3.

AnalysisAI

The tagDiv Opt-In Builder WordPress plugin versions up to and including 1.7.3 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. An attacker can exploit this by tricking a user into clicking a malicious link, allowing the execution of arbitrary JavaScript in the victim's browser within the context of the vulnerable site. This vulnerability has a CVSS score of 7.1 with network-based attack vector and low attack complexity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

Technical ContextAI

This vulnerability affects the tagDiv Opt-In Builder WordPress plugin, which is used for creating email subscription forms and opt-in campaigns. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. Reflected XSS occurs when user-supplied data is immediately returned by a web application without proper validation or encoding, allowing malicious scripts to be executed in the victim's browser. The vulnerability was reported by Patchstack's audit team and tracked as EUVD-2025-208860 in the ENISA EU Vulnerability Database. The plugin fails to sanitize input parameters before rendering them in HTTP responses, enabling attackers to inject JavaScript payloads that execute when victims access specially crafted URLs.

RemediationAI

Website administrators should immediately upgrade the tagDiv Opt-In Builder plugin to a version newer than 1.7.3 that addresses this reflected XSS vulnerability. Check the official WordPress plugin repository or the tagDiv vendor website for the latest patched version and apply the update through the WordPress admin dashboard. Until patching is feasible, consider temporarily disabling the plugin if it is not critical to operations, or implement Web Application Firewall (WAF) rules to filter suspicious query parameters and block common XSS attack patterns. Additionally, educate users about the risks of clicking untrusted links and implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability for specific technical details and remediation guidance.

Share

EUVD-2025-208860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy