CVE-2025-62030

Vulnerability

Overview CVE-2025-62030 is a stored cross-site scripting (XSS) vulnerability in the tagDiv Composer plugin for WordPress, affecting versions from n/a through 5.4.1. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the site [1].

Exploitation

Requirements Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or visiting a crafted page. This "user interaction" condition means the attack is not fully automated and relies on social engineering within the WordPress admin context [1].

Impact

A successful attack could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute in the context of visitors' browsers, potentially leading to defacement, phishing, or further compromise of the site [1].

Mitigation

The vulnerability has been patched in version 5.4.2. Users are strongly advised to update immediately to this or a later release. Patchstack offers auto-update capabilities for vulnerable plugins. No workaround is provided beyond updating [1].

The vulnerability is rated Medium (CVSS 6.5) and is considered unlikely to be exploited in mass campaigns due to the required user interaction, but updating remains the recommended action [1].