Plataforma
wordpress
Componente
td-composer
Corrigido em
5.4.3
CVE-2025-50001 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in tagDiv Composer. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of tagDiv Composer from 0.0.0 up to and including 5.4.2, and a patch is available in version 5.4.3.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This code can then be used to steal cookies, session tokens, or other sensitive information. The attacker could also redirect the user to a malicious website, deface the website, or perform actions on behalf of the user without their knowledge. The blast radius extends to any user visiting the compromised page, making it a significant risk for websites heavily reliant on tagDiv Composer for page building.
CVE-2025-50001 was publicly disclosed on 2026-03-19. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk, and the lack of public exploits does not diminish the importance of applying the patch promptly. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing tagDiv Composer for page building, particularly those with user-generated content or forms, are at risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'tagDiv Composer' /var/www/html/wp-content/plugins/
wp plugin list | grep tagDiv Composer• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep -i content-typedisclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-50001 is to immediately upgrade tagDiv Composer to version 5.4.3 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on any user-supplied data displayed on pages using tagDiv Composer. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of protection. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
Update to version 5.4.3, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-50001 is a Reflected XSS vulnerability in tagDiv Composer allowing attackers to inject malicious scripts via crafted URLs, potentially stealing user data or hijacking sessions.
You are affected if you are using tagDiv Composer versions 0.0.0 through 5.4.2. Upgrade to 5.4.3 to mitigate the risk.
Upgrade tagDiv Composer to version 5.4.3 or later. Implement input validation and output encoding as a temporary workaround.
As of the current disclosure date, there are no known public exploits or active campaigns targeting this vulnerability, but the HIGH severity warrants immediate action.
Refer to the tagDiv Composer website and security advisories for the official announcement and detailed information regarding CVE-2025-50001.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.