Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Magical Products Display plugin for WordPress, identified as CVE-2025-12964. This vulnerability affects all versions up to and including 1.1.29. Authenticated attackers with Contributor-level access or higher can exploit this flaw to inject malicious scripts into website pages. These scripts will then execute whenever a user accesses the compromised page.
Technical Details
The vulnerability resides within the MPD Pricing Table widget of the plugin. Specifically, the ‘mpdpr_title_tag’ and ‘mpdpr_subtitle_tag’ parameters are vulnerable. The plugin fails to properly sanitize and escape user-supplied input for HTML tag names used in the widget configuration.
The problematic code can be found in:
By injecting malicious HTML tags with embedded JavaScript, attackers can execute arbitrary code in the context of the user’s browser.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 6.4 (Medium).
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Account Takeover: An attacker could potentially steal user credentials or session cookies.
- Malware Distribution: The injected scripts can be used to redirect users to malicious websites or trigger the download of malware.
- Website Defacement: The attacker could modify the content and appearance of the website.
- Data Theft: Sensitive information displayed on the affected pages could be accessed and stolen.
Mitigation and Patch Steps
The recommended course of action is to immediately update the Magical Products Display plugin to the latest available version, which contains a fix for this vulnerability. The fix was implemented in this commit. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released.
Additionally, review your website’s user roles and permissions, ensuring that only trusted individuals have Contributor-level access or higher.
