CVE-2025-2804
📋 TL;DR
This reflected cross-site scripting vulnerability in the tagDiv Composer WordPress plugin allows unauthenticated attackers to inject malicious JavaScript via 'account_id' and 'account_username' parameters. Attackers can trick users into clicking specially crafted links to execute arbitrary scripts in their browser context. All WordPress sites using tagDiv Composer plugin versions up to 5.3 with the Newspaper theme are affected.
💻 Affected Systems
- tagDiv Composer WordPress plugin
- Newspaper WordPress theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.
Likely Case
Attackers create phishing links that steal user session cookies when clicked, allowing account hijacking of logged-in users.
If Mitigated
With proper web application firewalls and user awareness training, impact is limited to unsuccessful phishing attempts.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is trivial to weaponize in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.4 or later
Vendor Advisory: https://tagdiv.com/td_deploy/Newspaper/changed_files_12.6.9_12.7.html
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'tagDiv Composer' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, update Newspaper theme to version 12.7 or later.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock malicious XSS payloads in account_id and account_username parameters
Input Validation via .htaccess
linuxAdd regex filtering for suspicious characters in URL parameters
RewriteCond %{QUERY_STRING} account_(id|username)=.*[<>"'].* [NC]
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Deploy a web application firewall (WAF) with XSS protection rules
- Implement Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → tagDiv Composer version. If version ≤5.3, vulnerable.Check Version:
wp plugin list --name=tagdiv-composer --field=versionVerify Fix Applied:
After update, verify plugin version shows 5.4+ in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with account_id or account_username parameters containing script tags or JavaScript
- Unusual referrer URLs with encoded script payloads
Network Indicators:
- URLs with account_id or account_username parameters containing <script>, javascript:, or encoded equivalents
SIEM Query:
http.url:*account_id=*<script>* OR http.url:*account_username=*javascript:*