{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39712", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:22.476Z", "datePublished": "2026-04-08T08:30:48.938Z", "dateUpdated": "2026-04-08T13:11:52.383Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "td-composer", "product": "tagDiv Composer", "vendor": "tagDiv", "versions": [{"lessThanOrEqual": "5.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:45.402Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.<p>This issue affects tagDiv Composer: from n/a through <= 5.4.3.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:48.938Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:11:42.402657Z", "id": "CVE-2026-39712", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:11:52.383Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:11:42.402657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:11:26.636Z"}}], "cna": {"title": "WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "tagDiv", "product": "tagDiv Composer", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.4.3"}], "packageName": "td-composer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:45.402Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.<p>This issue affects tagDiv Composer: from n/a through <= 5.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:48.938Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39712", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:11:52.383Z", "dateReserved": "2026-04-07T10:58:22.476Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:48.938Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3."}], "id": "CVE-2026-39712", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:44.130", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "tagDiv Composer", "source": "cna", "vendor": "tagDiv"}, "product": "tagdiv_composer", "vendor": "tagdiv"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T15:50:46.609023+00:00", "value": {"mitigation_remediation": ["Update the tagDiv Composer plugin to version 5.4.4 or newer.", "If an update is not yet possible, disable the shortcode feature or limit its use to trusted administrators only.", "Verify that the WordPress theme or any custom code sanitizes all shortcode content before rendering.", "Monitor server and application logs for unexpected script execution or injection attempts.", "Check the vendor\u2019s website and security advisories for any additional mitigations or patches."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Shortcode Execution via XSS"}, "threat_synthesis": {"affected_systems": "WordPress sites that incorporate the tagDiv Composer plugin, specifically all releases from the earliest available version through 5.4.3. The issue applies to any installation of the plugin that does not enforce its default sanitization rules, which is common in stock configurations. Administrators should verify the plugin version and whether the shortcode feature is enabled.", "description_and_impact": "A flaw in the tagDiv Composer plugin allows malicious scripts to be injected through improperly sanitized shortcodes. This basic cross\u2011site scripting weakness can be exploited to run arbitrary JavaScript when a page containing the affected shortcode is viewed. The vulnerability stems from a failure to neutralize script\u2011related HTML tags, making it a CWE\u201180 type issue. Successful exploitation could enable defacement, data theft, or user session hijacking depending on the attacker\u2019s objectives.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a moderate severity, while the exploit potential is considered low, as the referential probability is under 1 percent and it has not yet appeared in the Key Exploited Vulnerabilities catalog. The likely attack vector is remote web\u2011based input: an adversary can supply a crafted shortcode containing malicious script tags, which the plugin then renders unfiltered. In a successful scenario, the attacker would gain the ability to execute code within the context of the compromised site, potentially leading to defacement, data exfiltration, or further system compromise."}}}}, "created": "2026-04-08T19:27:24.690066+00:00", "updated": "2026-04-08T19:40:05.363615+00:00", "vendors": ["tagdiv", "tagdiv$PRODUCT$tagdiv_composer", "wordpress", "wordpress$PRODUCT$wordpress"]}