CVE-2025-12964 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Magical Products Display plugin for WordPress, specifically affecting the Elementor WooCommerce Widgets including Product Sliders, Grids, and AJAX Search features. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79), where the plugin fails to sufficiently sanitize and escape user-supplied HTML tag names passed via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the affected page, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of users. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, and affects confidentiality and integrity but not availability. The scope is significant as it impacts all versions up to and including 1.1.29 of the plugin, which is widely used in WordPress e-commerce sites leveraging Elementor WooCommerce widgets. No official patches or fixes have been published yet, and no known exploits have been observed in the wild, but the risk remains due to the ease of exploitation by authenticated users. The vulnerability was published on November 21, 2025, with a CVSS v3.1 score of 6.4, reflecting medium severity. The issue underscores the importance of proper input validation and output escaping in web applications, especially in plugins that handle dynamic content generation.

For European organizations, this vulnerability poses a moderate risk primarily to e-commerce and content management platforms running WordPress with the affected Magical Products Display plugin. Exploitation could lead to unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive information such as cookies or credentials, and perform actions with the privileges of affected users. This can undermine customer trust, lead to data breaches, and potentially cause regulatory non-compliance under GDPR due to exposure of personal data. The requirement for Contributor-level access limits the attack surface to insiders or compromised accounts, but many organizations grant such access to multiple users, increasing risk. The vulnerability does not impact availability directly but compromises confidentiality and integrity, which can disrupt business operations and damage reputation. European e-commerce platforms are particularly sensitive to such threats given the high volume of transactions and personal data processed. Additionally, the stored nature of the XSS means that once injected, the malicious payload can affect multiple users over time, amplifying the impact. The absence of known exploits in the wild provides a window for mitigation, but the medium severity score indicates that timely action is necessary to prevent exploitation.

1. Restrict Contributor-level and higher access strictly to trusted users and review user roles regularly to minimize the number of accounts that can exploit this vulnerability. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters. 3. Apply manual input validation and output escaping in the plugin code if possible, or disable the MPD Pricing Table widget until an official patch is released. 4. Monitor logs and website content for unexpected script injections or modifications, especially in pages using the affected widget. 5. Educate content contributors about the risks of injecting HTML tags and scripts, and enforce strict content policies. 6. Keep WordPress core, themes, and all plugins up to date, and subscribe to vendor security advisories for timely patch releases. 7. Consider deploying Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. 8. If feasible, isolate or sandbox the affected plugin functionality to limit the impact of potential exploitation. 9. Prepare incident response plans to quickly address any detected exploitation attempts. 10. Engage with the plugin vendor or community to encourage prompt patch development and disclosure.