{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39692", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:44.987Z", "dateUpdated": "2026-04-29T09:52:03.946Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "td-composer", "product": "tagDiv Composer", "vendor": "tagDiv", "versions": [{"lessThanOrEqual": "5.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:44.061Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.<p>This issue affects tagDiv Composer: from n/a through <= 5.4.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.946Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress tagDiv Composer plugin <= 5.4.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:34:45.966816Z", "id": "CVE-2026-39692", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:35:39.021Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39692", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:34:45.966816Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:34:41.038Z"}}], "cna": {"title": "WordPress tagDiv Composer plugin <= 5.4.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "tagDiv", "product": "tagDiv Composer", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.4.3"}], "packageName": "td-composer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:44.061Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.<p>This issue affects tagDiv Composer: from n/a through <= 5.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39692", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:35:39.021Z", "dateReserved": "2026-04-07T10:58:10.483Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:44.987Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Stored XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3."}], "id": "CVE-2026-39692", "lastModified": "2026-04-24T18:05:35.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:41.520", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "tagDiv Composer", "source": "cna", "vendor": "tagDiv"}, "product": "tagdiv_composer", "vendor": "tagdiv"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T16:25:22.369325+00:00", "value": {"mitigation_remediation": ["Update the tagDiv Composer plugin to version 5.4.4 or later.", "If a newer version is unavailable, consider disabling the plugin until an update is released.", "Remove any suspicious or injected scripts from existing content managed by Composer.", "Configure the site to enforce strict content sanitization by enabling WordPress\u2019 built\u2011in sanitization filters or using a security plugin."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress sites running the tagDiv Composer plugin version 5.4.3 or earlier are affected. This includes all releases from the earliest version up through 5.4.3, regardless of minor patch levels. Site owners using the plugin should check their WordPress installation for the presence of tagDiv Composer and verify the current version.", "description_and_impact": "This vulnerability arises from improper input sanitization in the tagDiv Composer plugin, allowing attackers to store malicious scripts that run in the browser of anyone who views the affected content. The stored JavaScript can be used to steal session cookies, deface sites, or redirect users to malicious sites, thereby compromising confidentiality and integrity of data seen by site visitors.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates a moderate risk, and the EPSS score of less than 1\u202f% suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating limited evidence of active attacks. Attackers can exploit the flaw by creating or editing content within the Composer interface, injecting JavaScript that is then rendered to all page visitors. Because the payload is stored, the attack is persistent and can affect authenticated and unauthenticated users alike."}}}}, "created": "2026-04-08T19:27:43.325636+00:00", "updated": "2026-04-08T19:40:28.110861+00:00", "vendors": ["tagdiv", "tagdiv$PRODUCT$tagdiv_composer", "wordpress", "wordpress$PRODUCT$wordpress"]}