Platform
wordpress
Component
td-subscription
Fixed in
1.7.4
CVE-2025-53222 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the tagDiv Opt-In Builder plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 up to and including 1.7.3, and a patch is available in version 1.7.4.
The impact of this XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the URL, the injected script would execute in the user's browser within the context of the tagDiv Opt-In Builder plugin. This could allow the attacker to steal cookies, hijack user sessions, deface the website, or redirect users to phishing sites. The scope of the impact depends on the privileges of the affected user and the sensitivity of the data accessible through the WordPress site. Successful exploitation could lead to complete compromise of user accounts and potentially the entire WordPress installation.
CVE-2025-53222 was publicly disclosed on 2026-03-19. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code may become available, increasing the risk of exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-53222 is to immediately upgrade the tagDiv Opt-In Builder plugin to version 1.7.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious URLs containing JavaScript code. Input validation and output encoding on the server-side can also help prevent XSS attacks, although this is a more complex solution. Regularly scan your WordPress installation for vulnerabilities using a security plugin.
Update to version 1.7.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53222 is a Reflected XSS vulnerability in the tagDiv Opt-In Builder WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
If you are using tagDiv Opt-In Builder versions 0.0.0 through 1.7.3, you are affected by this vulnerability.
Upgrade the tagDiv Opt-In Builder plugin to version 1.7.4 or later to resolve this vulnerability.
There is currently no indication of active exploitation campaigns, but public PoCs may emerge.
Refer to the tagDiv website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.