Reflected Cross-Site Scripting Vulnerability in TagDiv Composer Plugin
CVE-2024-3886

6.1MEDIUM

Key Information:

Vendor

Wordpress

Vendor
CVE Published:
31 August 2024

What is CVE-2024-3886?

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ā€˜envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affected Version(s)

tagDiv Composer * <= 5.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Truoc Phan
.
The Cyber Security Vulnerability Database.