{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12965", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T17:24:03.812Z", "datePublished": "2025-12-12T11:15:50.299Z", "dateUpdated": "2026-04-08T17:04:07.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.014Z"}, "affected": [{"vendor": "nalam-1", "product": "Magical Posts Display \u2013 Elementor Advanced Posts widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.54", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8352400f-fea1-486d-872a-66340300cee9?source=cve"}, {"url": "https://wordpress.org/plugins/magical-posts-display/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407965%40magical-posts-display&new=3407965%40magical-posts-display&sfp_email=&sfph_mail=#file34"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra"}], "timeline": [{"time": "2025-12-02T01:52:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T22:32:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T14:40:18.284447Z", "id": "CVE-2025-12965", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:40:30.857Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12965", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T14:40:18.284447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:40:26.478Z"}}], "cna": {"title": "Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget", "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nalam-1", "product": "Magical Posts Display \u2013 Elementor Advanced Posts widgets", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.54"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-02T01:52:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T22:32:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8352400f-fea1-486d-872a-66340300cee9?source=cve"}, {"url": "https://wordpress.org/plugins/magical-posts-display/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407965%40magical-posts-display&new=3407965%40magical-posts-display&sfp_email=&sfph_mail=#file34"}], "descriptions": [{"lang": "en", "value": "The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.014Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12965", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:07.014Z", "dateReserved": "2025-11-10T17:24:03.812Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T11:15:50.299Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12965", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T12:15:45.740", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407965%40magical-posts-display&new=3407965%40magical-posts-display&sfp_email=&sfph_mail=#file34"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/magical-posts-display/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8352400f-fea1-486d-872a-66340300cee9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:19:10.748379+00:00", "value": {"mitigation_remediation": ["Upgrade Magical Posts Display to version 1.2.55 or later where the input is properly sanitized", "Implement a site\u2011wide content security policy that blocks inline scripts and restricts script sources to trusted origins", "If upgrading is not feasible, remove or disable the Magical Posts Accordion widget, or completely disable the plugin until a patch is applied"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via the Magical Posts Display plugin widget that allows author\u2011level users to inject arbitrary JavaScript into pages"}, "threat_synthesis": {"affected_systems": "The affected product is Magical Posts Display \u2013 Elementor Advanced Posts widgets from the vendor denoted as nalam-1. All releases from the first version through 1.2.54 are susceptible. Users deploying any of these releases on WordPress sites should verify their installed version.", "description_and_impact": "The vulnerability exists in the mpac_title_tag parameter of the Magical Posts Accordion widget in versions up to and including 1.2.54. Insufficient sanitization of user\u2011supplied HTML tag names lets an authenticated user with Author or higher privileges embed malicious scripts. When a victim opens a page that contains the injected widget, the script executes within the victim\u2019s browser, enabling credential theft, session hijacking, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, with an EPSS score of less than 1% suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication and can be launched from the WordPress admin console, where an attacker with Author or higher privileges can configure the widget. Successful exploitation results in arbitrary code execution in the context of any user who visits the page, potentially compromising confidentiality, integrity, and availability of the site\u2019s user data."}}}}, "created": "2025-12-14T21:16:32.403689+00:00", "updated": "2026-04-21T17:30:37.685948+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "nalam-1", "nalam-1$PRODUCT$magical_products_display", "wordpress", "wordpress$PRODUCT$wordpress"]}