Vulnerabilities and security researches formagical-posts-display magical-posts-display

Jun 07, 2024

CVE, Research URL: 6a3b1b82ce44e3d051a60a588c883084815f8a11
Home page URL: Security reports for Magical Posts Display – Elementor Advanced Posts widgets
Application: Magical Posts Display – Elementor Advanced Posts widgets
Date: Mar 21, 2023
Research Description: Magical Posts Display – Elementor Advanced Posts widgets [magical-posts-display] < 1.2.16 (closed) WordPress Magical Posts Display – Elementor & Gutenberg Posts Blocks Plugin <= 1.2.15 is vulnerable to Cross Site Request Forgery (CSRF) Update the WordPress Magical Posts Display – Elementor & Gutenberg Posts Blocks plugin to the latest available version (at least 1.2.16). Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Magical Posts Display – Elementor & Gutenberg Posts Blocks Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.2.16.
Affected versions: max 1.2.16.
Status: vulnerable

Jul 14, 2024

CVE, Research URL: CVE-2024-37951
Home page URL: Security reports for Magical Posts Display – Elementor Advanced Posts widgets
Application: Magical Posts Display – Elementor Advanced Posts widgets
Date: Jul 20, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Noor alam Magical Posts Display – Elementor & Gutenberg Posts Blocks allows Stored XSS.This issue affects Magical Posts Display – Elementor & Gutenberg Posts Blocks: from n/a through 1.2.38.
Affected versions: max 1.2.38.
Status: vulnerable

Aug 01, 2025

CVE, Research URL: CVE-2025-54706
Home page URL: Security reports for Magical Posts Display – Elementor Advanced Posts widgets
Application: Magical Posts Display – Elementor Advanced Posts widgets
Date: Aug 14, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Posts Display allows DOM-Based XSS. This issue affects Magical Posts Display: from n/a through 1.2.52.
Affected versions: max 1.2.53.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-12965
Home page URL: Security reports for Magical Posts Display – Elementor Advanced Posts widgets
Application: Magical Posts Display – Elementor Advanced Posts widgets
Date: Dec 12, 2025
Research Description: The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.2.55.
Status: vulnerable