5 matches found
tagDiv Composer < 4.2 - Stored Cross-Site Scripting
tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...
Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023
More than 17,000 WordPress websites have been compromised in the month of September 2023 with a malware known as Balada Injector, nearly twice the number of detections in August. Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagD...
CVE-2023-3169
creationtimestamp| type| source ---|---|--- 2023-10-10 11:36:55+00:00| exploited| https://t.me/itsecnews/3432 2023-10-11 15:16:39+00:00| exploited| https://t.me/KomunitiSiber/919 2023-10-11 15:30:02+00:00| seen| Telegram/ReJUj7XL5RTCHl48Ln6hOhYIjbpjNlCtusbs47L9aTPiow 2025-09-23 20:09:27+00:00|...
CVE-2023-3169
The CVE concerns tagDiv Composer for WordPress (pre-4.2). Concrete detail: unauthenticated stored XSS via the REST endpoint /wp-json/tdw/save_css, exploiting the compiled_css parameter which is stored and later executed when CSS loads. Root cause: authorisation is missing on the REST route and in...
CVE-2023-3169 tagDiv Composer < 4.2 - Unauthenticated Stored XSS
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform...