CVE-2025-1705: 
WordPress vulnerability analysis and mitigation

The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 5.3. The vulnerability was discovered and disclosed on March 28th, 2025 (NVD, Newspaper Changelog).

The vulnerability exists due to missing or incorrect nonce validation within the tdajaxget_views AJAX action. This security flaw allows unauthenticated attackers to inject malicious web scripts through forged requests. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

If exploited, this vulnerability could allow attackers to inject malicious web scripts into the target site, potentially leading to cross-site scripting attacks. The attack requires user interaction, as the attacker needs to trick a site administrator into performing an action such as clicking on a link (NVD).

The vulnerability has been patched in version 12.7 of the Newspaper theme released on March 27th, 2025. Site administrators are strongly recommended to update to this version immediately. The update includes several security fixes, including resolving the XSS issues (Newspaper Changelog).