CVE-2024-3888
Description
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button shortcode in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: The vulnerable code in this plugin is specifically tied to the tagDiv Newspaper theme. If another theme is installed (e.g., NewsMag), this code may not be present.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The tagDiv Composer WordPress plugin ≤4.8 has a stored XSS in its button shortcode due to insufficient sanitization, enabling contributor+ attackers to inject arbitrary scripts.
Vulnerability
The tagDiv Composer plugin for WordPress, in all versions up to and including 4.8, contains a stored cross-site scripting (XSS) vulnerability in the plugin's button shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes [1]. This flaw is specifically tied to the tagDiv Newspaper theme; if another theme (e.g., NewsMag) is active, the vulnerable code may not be present [Description].
Exploitation
An attacker must be authenticated as a contributor-level user or higher to exploit this vulnerability. The attacker can inject arbitrary web scripts into pages by supplying crafted attributes in the button shortcode. The injected script will execute whenever a victim user accesses the affected page [Description].
Impact
Successful exploitation allows the attacker to execute arbitrary client-side code in the context of the victim's browser session, potentially leading to session hijacking, defacement, or theft of sensitive information [Description][1]. The stored nature of the XSS means the payload persists and can affect multiple users.
Mitigation
The vendor has not released a patch at the time of publication. Users are advised to limit contributor-level access and disable the vulnerable shortcode if possible. The vulnerability only applies when using the tagDiv Newspaper theme [Description][1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.