CVE-2025-3510: 
Composer vulnerability analysis and mitigation

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via multiple shortcodes in versions up to and including 5.4, disclosed on May 2, 2025. The vulnerability affects WordPress installations using the tagDiv Composer plugin and stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD, Wiz).

The vulnerability arises from inadequate input sanitization and output escaping on user-supplied attributes in multiple shortcodes. This security flaw has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue affects the plugin's shortcode functionality and requires authenticated users with contributor-level access or higher to exploit (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. When users access an affected page, these injected scripts execute in their browsers, potentially leading to cookie theft, session hijacking, or other client-side attacks targeting site visitors (Wiz).

The vulnerability has been patched in version 12.7.1 of the Newspaper theme released on April 29th, 2025. Users are strongly recommended to update to this version immediately to resolve the XSS vulnerabilities (Theme Changelog).