2025-11-21 09:27:00
Wordfence
PUBLISHED
The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mpdpr_title_tag and mpdpr_subtitle_tag parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.