Platform
wordpress
Component
td-composer
Fixed in
5.4.3
CVE-2025-50001 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in tagDiv Composer. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of tagDiv Composer from 0.0.0 up to and including 5.4.2, and a patch is available in version 5.4.3.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This code can then be used to steal cookies, session tokens, or other sensitive information. The attacker could also redirect the user to a malicious website, deface the website, or perform actions on behalf of the user without their knowledge. The blast radius extends to any user visiting the compromised page, making it a significant risk for websites heavily reliant on tagDiv Composer for page building.
CVE-2025-50001 was publicly disclosed on 2026-03-19. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk, and the lack of public exploits does not diminish the importance of applying the patch promptly. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-50001 is to immediately upgrade tagDiv Composer to version 5.4.3 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on any user-supplied data displayed on pages using tagDiv Composer. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of protection. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
Update to version 5.4.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-50001 is a Reflected XSS vulnerability in tagDiv Composer allowing attackers to inject malicious scripts via crafted URLs, potentially stealing user data or hijacking sessions.
You are affected if you are using tagDiv Composer versions 0.0.0 through 5.4.2. Upgrade to 5.4.3 to mitigate the risk.
Upgrade tagDiv Composer to version 5.4.3 or later. Implement input validation and output encoding as a temporary workaround.
As of the current disclosure date, there are no known public exploits or active campaigns targeting this vulnerability, but the HIGH severity warrants immediate action.
Refer to the tagDiv Composer website and security advisories for the official announcement and detailed information regarding CVE-2025-50001.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.