Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-2806

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published

2025-05-08T12:15:17.457

Last Modified

2025-06-04T22:53:20.850

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tagdiv	tagdiv_composer	< 5.4	Yes

References

http://localhost:1337/wp-content/plugins/td-composer/legacy/common/wp_booster/td_ajax.php#L2034 Broken Link ([email protected])
https://tagdiv.com/td_deploy/Newspaper/changed_files_12.6.9_12.7.html Release Notes ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/52bd9946-dccc-427a-9abd-0b7153e7484f?source=cve Third Party Advisory ([email protected])