Volerion logoVolerion
Volerion logoVolerion

tagDiv Composer WordPress Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the tagDiv Composer plugin for WordPress, affecting all versions through 5.3. The vulnerability arises from inadequate nonce validation in the td_ajax_get_views AJAX action, allowing unauthenticated attackers to inject malicious scripts by tricking a site administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site using the tagDiv Composer plugin version 5.3 or earlier. This can be done by tricking an administrator into clicking a link that activates the request, taking advantage of the missing nonce validation.

Remediation

Users are advised to update the tagDiv Composer plugin to version 5.4 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.7
exploitability
6.9
remediation
7.7
relevance
0.0
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.