CVE-2025-12964 is a stored cross-site scripting vulnerability identified in the Magical Products Display plugin for WordPress, specifically affecting the Elementor WooCommerce Widgets including Product Sliders, Grids, and AJAX Search features. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79). The plugin fails to adequately sanitize and escape user-supplied HTML tag names passed via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget. This allows an authenticated attacker with at least Contributor-level privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes automatically whenever any user accesses the infected page, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability affects all plugin versions up to and including 1.1.29. Exploitation does not require user interaction but does require authentication with contributor or higher privileges. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, and no official patches are currently linked, indicating that mitigation relies on access control and monitoring until a fix is released.

The primary impact of this vulnerability is the potential compromise of confidentiality and integrity on affected WordPress sites. An attacker with Contributor-level access can inject malicious scripts that execute in the context of any user viewing the infected page, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This can lead to unauthorized data access, defacement, or pivoting to other parts of the network. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for an attacker to have contributor privileges, but many WordPress sites allow user registrations or have multiple contributors, increasing exposure. The scope includes all sites using the affected plugin versions, which are common in e-commerce environments using WooCommerce and Elementor. The absence of known exploits in the wild suggests limited current exploitation, but the vulnerability could be leveraged in targeted attacks or by insiders. Organizations relying on this plugin for product display and pricing tables may face reputational damage, data leakage, and potential regulatory consequences if exploited.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor all user-generated content fields, especially those related to the MPD Pricing Table widget, for suspicious or unexpected HTML tags or scripts. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected parameters. 4. Regularly audit installed plugins and their versions to identify and update vulnerable components promptly. 5. Since no official patch is currently available, consider temporarily disabling or replacing the Magical Products Display plugin until a secure version is released. 6. Educate content contributors about safe input practices and the risks of injecting HTML tags. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8. After patch availability, apply updates immediately and verify that input sanitization and output escaping are correctly implemented.