CVE-2025-1705

The tagDiv Composer plugin for WordPress, which powers the Newspaper theme's drag-and-drop page builder, contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 5.3. The issue stems from missing or incorrect nonce validation within the td_ajax_get_views AJAX action, allowing an attacker to forge requests that, if executed by an authenticated administrator, can inject arbitrary web scripts.

Exploitation

An unauthenticated attacker can craft a malicious request that performs actions on behalf of a logged-in site administrator. Exploitation requires social engineering—the attacker must trick the administrator into clicking a link or visiting a page that triggers the forged request. Because the AJAX action lacks proper CSRF protections, the administrator's browser will send the request with valid cookies, enabling the attacker to submit malicious payloads.

Impact

Successful exploitation allows the attacker to inject malicious web scripts (stored XSS) into the site. This can lead to further compromise, such as session hijacking, defacement, or redirection of users to attacker-controlled sites. The vulnerability is rated as Medium severity (CVSS 6.1) due to the prerequisite of admin interaction.

Mitigation

The vendor has addressed this vulnerability in tagDiv Composer version 5.4 (included in Newspaper theme version 12.7.6). Users are strongly advised to update the theme and plugin to the latest versions [1]. No workaround is provided; the patch adds proper nonce validation to the affected AJAX action.