tagDiv Cloud Library < 3.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-62032 | Plugin Vulnerabilities

Description

The tagDiv Cloud Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and excluding, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

td-cloud-library

Fixed in 3.9.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f97414f7-3544-4ecf-908a-a0215e322e68

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro S Alcântara (Kinorth)

Verified

No

WPVDB ID

0ecaeb97-4f67-4e79-bea8-9c9a6ab7add3

Timeline

Publicly Published

2025-10-16 (about 3 months ago)

Added

2025-10-22 (about 2 months ago)

Last Updated

2025-11-12 (about 2 months ago)

Other

Published

Title

Published

2023-06-22

Title

Event Manager for WooCommerce < 3.9.6 - Editor+ Stored Cross-Site Scripting

Published

2025-02-23

Title

Small Package Quotes – Unishippers Edition < 2.4.10 - Reflected Cross-Site Scripting

Published

2024-10-11

Title

TablePress < 2.4.3 - Author+ Stored XSS

Published

2014-08-01

Title

Whois Search <= 1.4.2 - Cross Site Scripting

Published

2023-01-17

Title

Calculated Fields Form < 1.1.151 - Admin+ Stored Cross-Site Scripting via Dropdown Fields