CVE-2026-39692

Vulnerability

Overview

The tagDiv Composer plugin for WordPress, versions up to and including 5.4.3, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This vulnerability is classified under CWE-79 and has a CVSS v3 score of 6.5 (Medium) [1].

Exploitation

Details

Exploitation requires a privileged user role (e.g., author or editor) to inject malicious scripts via the plugin's composer interface [1]. The injected payload is stored on the server and executed when any visitor loads the affected page, without requiring additional user interaction from the victim [1].

Impact

A successful attack allows an authenticated attacker to inject arbitrary HTML and JavaScript, which can be used to redirect visitors, display advertisements, steal session cookies, or perform other client-side attacks [1]. This type of vulnerability is frequently leveraged in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vendor has released version 5.4.5 which resolves the issue [1]. Users are strongly advised to update immediately. For those unable to update, implementing a web application firewall or disabling the plugin temporarily is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].