tagDiv Composer - XSS (CVE-2023-3169)

CVE-2023-3169 is a vulnerability in the tagDiv Composer WordPress plugin prior to version 4.2 that allows unauthenticated users to exploit insufficient authorization and input validation in a REST route, leading to stored cross-site scripting (XSS) attacks. This flaw could enable attackers to inject malicious scripts that execute in the browsers of site visitors, potentially compromising user data and site integrity.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2023-3169 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2023-3169 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the /wp-json/tdw/save_css endpoint by injecting malicious JavaScript into the compiled_css parameter, resulting in stored XSS that is triggered when the CSS is loaded on WordPress sites using the tagDiv Composer plugin.