tagDiv Composer < 4.2 – Admin+ Stored XSS | CVE 2023-3170 | Plugin Vulnerabilities

Description

The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Visit Newsmag > Theme panel > Custom Code
3. Enter the following in "Custom CSS" and click "Save Settings":

</style><img src onerror=alert('XSS')><style>

4. Visit the site frontend to see the XSS.

Affects Plugins

Fixed in 4.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan

Submitter website

https://www.facebook.com/292706121240740

Submitter twitter

Verified

Yes

WPVDB ID

e95ff3c6-283b-4e5e-bea0-1f1375da08da

Timeline

Publicly Published

2023-08-17 (about 2 years ago)

Added

2023-08-17 (about 2 years ago)

Last Updated

2023-08-17 (about 2 years ago)

Other

Published

Title

Published

2025-01-06

Title

Coupon Plugin < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

FlexIDX Home Search <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Block Collection for You – WP Block Pack <= 1.1.6 - Reflected Cross-Site Scripting

Published

2021-07-17

Title

iQ Block Country < 1.2.12 - Admin+ Stored Cross-Site Scripting

Published

2023-11-13

Title

BSK Contact Form 7 Blacklist <= 1.0.1 - Reflected Cross-Site Scripting