CVE-2024-3814
📋 TL;DR
This vulnerability allows authenticated WordPress users with author-level permissions or higher to inject malicious scripts into pages using the tagDiv Composer plugin. When other users view these compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using tagDiv Composer versions up to 4.8 are affected.
💻 Affected Systems
- tagDiv Composer WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect visitors to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with author access inject malicious scripts that steal user session cookies or credentials, leading to account takeover and potential privilege escalation.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from affected pages only.
🎯 Exploit Status
Exploitation requires authenticated access with author privileges or higher. The vulnerability is in the 'single' module where user input isn't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9 or later
Vendor Advisory: https://tagdiv.com/tagdiv-composer-page-builder-basics/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find tagDiv Composer. 4. Click 'Update Now' if available. 5. If not, download latest version from WordPress repository or tagDiv website. 6. Upload and replace plugin files.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily reduce author-level user permissions or review author accounts for suspicious activity.
Implement Content Security Policy
linuxAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Disable the tagDiv Composer plugin completely until patching is possible.
- Implement strict user access controls and monitor author-level user activities closely.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for tagDiv Composer version. If version is 4.8 or lower, you are vulnerable.Check Version:
wp plugin list --name=tagdiv-composer --field=versionVerify Fix Applied:
After updating, verify tagDiv Composer version shows 4.9 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications by author-level users
- Multiple page edits in short timeframes
- Suspicious script tags in page content
Network Indicators:
- Unexpected external script loads from WordPress pages
- Suspicious outbound connections from user browsers
SIEM Query:
source="wordpress" AND (event="page_edit" AND user_role="author" AND content CONTAINS "<script>")🔗 References
- https://tagdiv.com/tagdiv-composer-page-builder-basics/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c2a88c3-5c11-4b42-b8f8-aafecf6c4c74?source=cve
- https://tagdiv.com/tagdiv-composer-page-builder-basics/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c2a88c3-5c11-4b42-b8f8-aafecf6c4c74?source=cve
