{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53222", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-27T10:27:53.890Z", "datePublished": "2026-03-19T08:10:35.552Z", "dateUpdated": "2026-04-28T16:13:21.344Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "td-subscription", "product": "tagDiv Opt-In Builder", "vendor": "tagDiv", "versions": [{"changes": [{"at": "1.7.4", "status": "unaffected"}], "lessThanOrEqual": "1.7.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:41:45.513Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.<p>This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:21.344Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress tagDiv Opt-In Builder plugin <= 1.7.3 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:57:50.487349Z", "id": "CVE-2025-53222", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:58:28.548Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53222", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:57:50.487349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:58:18.896Z"}}], "cna": {"title": "WordPress tagDiv Opt-In Builder plugin <= 1.7.3 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tagDiv", "product": "tagDiv Opt-In Builder", "versions": [{"status": "affected", "changes": [{"at": "1.7.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.3"}], "packageName": "td-subscription", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:41:45.513Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.<p>This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:21.344Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53222", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:13:21.344Z", "dateReserved": "2025-06-27T10:27:53.890Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:10:35.552Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3."}, {"lang": "es", "value": "La vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en tagDiv tagDiv Opt-In Builder permite XSS Reflejado. Este problema afecta a tagDiv Opt-In Builder: desde n/d hasta 1.7.3."}], "id": "CVE-2025-53222", "lastModified": "2026-04-23T15:32:19.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:15.873", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/td-subscription/vulnerability/wordpress-tagdiv-opt-in-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.3]"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "tagDiv Opt-In Builder", "source": "cna", "vendor": "tagDiv"}, "product": "opt_in_builder", "vendor": "tagdiv"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:17:26.635780+00:00", "value": {"mitigation_remediation": ["Upgrade tagDiv Opt\u2011In Builder to the latest plugin version, which resolves the XSS issue.", "Disable or delete the plugin if it is not needed for site functionality.", "Configure a Content Security Policy (CSP) that restricts inline scripts and disallows unsafe-eval to mitigate the impact of any reflected XSS if the issue is not resolved immediately."], "summary": {"action": "Patch Now", "impact": "Reflected cross\u2011site scripting that allows execution of arbitrary client\u2011side code in users\u2019 browsers."}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress tagDiv Opt\u2011In Builder plugin for all releases from its earliest version through 1.7.3. Site administrators using any of these versions are exposed.", "description_and_impact": "Improper neutralization of input during web page generation in tagDiv Opt\u2011In Builder leads to reflected XSS. A crafted input can be reflected into a page and executed by a visitor\u2019s browser, potentially allowing attackers to steal session cookies, deface the site, or perform phishing attacks. This weakness falls under CWE\u201179, where user input is not safely encoded before output.", "risk_and_exploitability": "The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score of less than 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, reflected XSS can be triggered by a simple URL or form injection, so an attacker only needs to persuade a user to visit a malicious link. The impact is limited to client\u2011side code execution, which could enable session hijacking, defacement, or phishing. No direct server compromise is possible."}}}}, "created": "2026-03-20T08:57:11.076961+00:00", "updated": "2026-04-28T22:30:41.597935+00:00", "vendors": ["tagdiv", "tagdiv$PRODUCT$opt_in_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}