Plateforme
wordpress
Composant
td-subscription
Corrigé dans
1.7.4
CVE-2025-53222 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the tagDiv Opt-In Builder plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions from 0.0.0 up to and including 1.7.3, and a patch is available in version 1.7.4.
The impact of this XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the URL, the injected script would execute in the user's browser within the context of the tagDiv Opt-In Builder plugin. This could allow the attacker to steal cookies, hijack user sessions, deface the website, or redirect users to phishing sites. The scope of the impact depends on the privileges of the affected user and the sensitivity of the data accessible through the WordPress site. Successful exploitation could lead to complete compromise of user accounts and potentially the entire WordPress installation.
CVE-2025-53222 was publicly disclosed on 2026-03-19. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code may become available, increasing the risk of exploitation.
Websites using the tagDiv Opt-In Builder plugin, particularly those with user authentication or sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a vulnerability in one site could potentially be exploited to compromise others.
• wordpress / composer / npm:
grep -r 'td-subscription' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep tagDiv• wordpress / composer / npm:
wp plugin update tagDiv• generic web: Inspect URL parameters for suspicious JavaScript code (e.g., <script>alert('XSS')</script>).
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-53222 is to immediately upgrade the tagDiv Opt-In Builder plugin to version 1.7.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious URLs containing JavaScript code. Input validation and output encoding on the server-side can also help prevent XSS attacks, although this is a more complex solution. Regularly scan your WordPress installation for vulnerabilities using a security plugin.
Update to version 1.7.4, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-53222 is a Reflected XSS vulnerability in the tagDiv Opt-In Builder WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
If you are using tagDiv Opt-In Builder versions 0.0.0 through 1.7.3, you are affected by this vulnerability.
Upgrade the tagDiv Opt-In Builder plugin to version 1.7.4 or later to resolve this vulnerability.
There is currently no indication of active exploitation campaigns, but public PoCs may emerge.
Refer to the tagDiv website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.