CVE-2025-62031

Vulnerability

Overview CVE-2025-62031 is a stored Cross-Site Scripting (XSS) vulnerability found in the tagDiv Composer plugin (td-composer) for WordPress, affecting all versions up to and including 5.4.1. The issue originates from improper neutralization of user-supplied input during web page generation, enabling privileged users to inject malicious scripts that execute when site visitors load affected pages [1].

Exploitation

Prerequisites Exploitation requires an authenticated user with at least Contributor-level privileges. The attacker must then craft a payload that gets stored in the plugin's content. Successful execution depends on user interaction—such as a site visitor clicking a malicious link or viewing a specially crafted page—but no additional authentication is needed from the victim beyond normal browsing [1].

Impact

An attacker leveraging this vulnerability can inject arbitrary JavaScript, HTML, or other client-side code. This can lead to redirections to malicious sites, display of unwanted advertisements, theft of session cookies, or defacement of the affected website. The vulnerability is considered moderately dangerous and is likely to be used in mass-exploit campaigns targeting multiple WordPress installations simultaneously [1].

Mitigation

The vendor has released version 5.4.2 which patches the flaw. Users are strongly advised to update immediately. For those unable to upgrade immediately, Patchstack offers virtual patching rules to block exploitation attempts [1].