WordPress website administrators should be aware of a high severity Cross-Site Request Forgery (CSRF) vulnerability detected in the tagDiv Composer Plugin. This security flaw presents significant risks to WordPress security, potentially allowing malicious actors to force higher privileged users to execute unwanted actions without their consent or knowledge.

The vulnerability was discovered and responsibly reported by Truoc Phan, underscoring the importance of proactive security practices in the WordPress ecosystem.


The CSRF vulnerability in the tagDiv Composer Plugin has received a high severity rating, with a CVSS 3.1 score of 7.1.

Affected Versions:

As of now, no patched version of the tagDiv Composer Plugin is available. Additionally, there has been no response from the vendor regarding this vulnerability.


Exploiting this CSRF vulnerability empowers malicious actors to manipulate higher privileged users into executing unwanted actions without their knowledge or consent. The potential consequences include:

  • Unauthorized modifications to website content or settings.
  • Manipulation of user accounts or roles.
  • Execution of actions that may compromise website security or functionality.


Given the high severity of this vulnerability and the lack of a patched version, immediate action is vital to protect the WordPress website:

  1. Temporary Deactivation: For all active and affected tagDiv Composer Plugins, consider temporarily deactivating them until a fix is released. This can mitigate the risk of potential exploitation.
  2. Monitor Updates: Keep a close eye on plugin updates. Once a patched version becomes available, promptly update the tagDiv Composer Plugin to ensure the website’s security.
  3. Alternative Plugins: Explore reputable alternative plugins for similar functionalities that actively receive updates and are maintained by trusted developers.
  4. Security Best Practices: Implement security best practices, such as strong passwords, regular backups, and two-factor authentication, to enhance overall WordPress security.