CVE-2025-12965
Stored XSS in Magical Posts Display WordPress Plugin Allows Script Injection
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| noor_alam | magical_posts_display | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect the CVE-2025-12965 vulnerability on your system, you should check if the installed version of the Magical Posts Display WordPress plugin is at or below version 1.2.54, as these versions are vulnerable. Detection can be done by verifying the plugin version via WordPress admin dashboard or by inspecting the plugin files. There are no specific network detection commands provided in the resources. However, you can use WP-CLI to check the plugin version with the command: `wp plugin get magical-posts-display --field=version`. If the version is 1.2.54 or lower, the plugin is vulnerable. Additionally, reviewing pages using the Magical Posts Accordion widget for suspicious or injected scripts in the 'mpac_title_tag' parameter could indicate exploitation. No specific commands for scanning or network detection are provided in the resources. [3]
Can you explain this vulnerability to me?
The vulnerability in the Magical Posts Display WordPress plugin is a Stored Cross-Site Scripting (XSS) issue occurring via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget. Due to insufficient input sanitization and output escaping of user-supplied HTML tag names, authenticated users with Author-level access or higher can inject arbitrary web scripts. These scripts execute whenever any user accesses the injected page, potentially compromising site security. [3]
How can this vulnerability impact me? :
This vulnerability allows authenticated attackers with Author-level access or above to inject malicious scripts into pages. When other users visit these pages, the injected scripts execute, which can lead to theft of user credentials, session hijacking, defacement, or other malicious actions. This compromises the integrity and security of the website and its users. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2025-12965 in the Magical Posts Display WordPress plugin, immediately update the plugin to version 1.2.55 or later, which addresses the security issue by removing vulnerable dependencies (Bootstrap, CMB2, Carbon Fields) and refactoring the codebase to improve input sanitization and output escaping. Additionally, ensure that all AJAX handlers implement nonce verification and input sanitization as done in version 1.2.54. These updates prevent exploitation of the Stored Cross-Site Scripting vulnerability via the 'mpac_title_tag' parameter. If updating is not immediately possible, restrict Author-level access and above to trusted users only to reduce risk. [1, 3]