CVE-2025-50001

Vulnerability

Overview

The tagDiv Composer plugin for WordPress, versions up to and including 5.4.2, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page input [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a web page, which is then executed in the context of the victim's browser session.

Exploitation

Details

Exploitation requires user interaction — a privileged user must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. The attack is reflected, meaning the malicious payload is not stored on the server but is delivered via the crafted URL or request. No authentication is needed to initiate the attack, but the target user must perform the action for the script to execute.

Impact

Successful exploitation allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into the website [1]. When visitors access the affected page, the affected page, the injected script executes, potentially leading to data theft, session hijacking, or defacement. The CVSS v3 score is 7.1 (High), reflecting the potential for widespread impact in mass-exploit campaigns [1].

Mitigation

The vendor has released version 5.4.3 which resolves the vulnerability [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting the hosting provider or web developer for assistance is recommended [1].