Skip to main content

Tagdiv Composer

12 CVEs product

Monthly

CVE-2026-57734 HIGH This Week

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Tagdiv Composer
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-39712 MEDIUM This Month

Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.

XSS Tagdiv Composer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39692 MEDIUM This Month

Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.

XSS Tagdiv Composer
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-2806 MEDIUM This Month

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 5.3 due to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer PHP
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-5212 MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-3886 MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-3814 MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Tagdiv Composer
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-3813 HIGH This Week

The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE LFI Information Disclosure +1
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-39166 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF Tagdiv Composer
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-3170 MEDIUM POC This Month

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tagdiv Composer
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-3169 MEDIUM POC This Month

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tagdiv Composer
NVD WPScan
CVSS 3.1
6.1
EPSS
1.6%
CVE-2022-3477 CRITICAL POC Act Now

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Newsmag Newspaper Tagdiv Composer
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
3.5%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Tagdiv Composer
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.

XSS Tagdiv Composer
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.

XSS Tagdiv Composer
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 5.3 due to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Tagdiv Composer
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Tagdiv Composer
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE +3
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF Tagdiv Composer
NVD
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tagdiv Composer
NVD WPScan
EPSS 2% CVSS 6.1
MEDIUM POC This Month

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tagdiv Composer
NVD WPScan
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Newsmag +2
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy