WP-Safety

Magical Posts Display – Elementor Advanced Posts widgets Security & Risk Analysis

wordpress.org/plugins/magical-posts-display

Show your site posts, Pages and Custom Post Types with many different styles by Elementor Widgets.

3K active installs v1.2.57 PHP 7.4+ WP 6.0+ Updated Jan 17, 2026
custom-postelementor-widgetpage-displaypost-displaypost-slider
95
A · Safe
CVEs total4
Unpatched0
Last CVEDec 11, 2025
Plugin page Download
Safety Verdict

Is Magical Posts Display – Elementor Advanced Posts widgets Safe to Use in 2026?

Generally Safe

Score 95/100

Magical Posts Display – Elementor Advanced Posts widgets has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 11, 2025Updated 2mo ago
Risk Assessment

The "magical-posts-display" plugin v1.2.57 exhibits a mixed security posture. While it demonstrates strengths in its use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. Four AJAX handlers are present, and alarmingly, all of them lack authentication checks. This presents a direct and exploitable pathway for attackers to trigger plugin functionalities without proper authorization, increasing the risk of unauthorized actions or data manipulation.

The vulnerability history is also a point of concern. The plugin has a history of four known CVEs, all classified as medium severity, with common types including Cross-site Scripting and Missing Authorization. While there are currently no unpatched vulnerabilities, the recurring nature of these vulnerability types, particularly Missing Authorization, aligns directly with the static analysis findings of unprotected AJAX handlers. This suggests a persistent weakness in how the plugin handles user input and access control.

In conclusion, the plugin's robust handling of SQL and output escaping are positive indicators of secure coding practices. However, the presence of unprotected AJAX endpoints and a history of authorization-related vulnerabilities create a substantial risk. The potential for unauthorized execution of code through these handlers, coupled with past exploitation patterns, necessitates careful consideration before deployment or requires immediate remediation.

Key Concerns

  • 4 unprotected AJAX handlers
  • History of 4 medium severity CVEs (XSS, Missing Auth)
  • Flows with unsanitized paths (Taint Analysis)
  • 0 Capability checks found
Vulnerabilities
4

Magical Posts Display – Elementor Advanced Posts widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-12965medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget

Dec 11, 2025 Patched in 1.2.55 (1d)
CVE-2025-54706medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Magical Posts Display <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 30, 2025 Patched in 1.2.53 (6d)
CVE-2024-37951medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Magical Posts Display – Elementor & Gutenberg Posts Blocks <= 1.2.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 10, 2024 Patched in 1.2.39 (17d)
WF-84003388-c47c-41db-8d2d-4643aa375a89-magical-posts-displaymedium · 4.3Missing Authorization

Appsero <= 1.2.1 - Missing Authorization

Dec 16, 2022 Patched in 1.2.16 (699d)
Code Analysis
Analyzed Mar 16, 2026

Magical Posts Display – Elementor Advanced Posts widgets Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
80
613 escaped
Nonce Checks
4
Capability Checks
0
File Operations
1
External Requests
1
Bundled Libraries
0

Output Escaping

88% escaped693 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
ajax_filter_posts (includes\elementor\widgets\posts-grid.php:3759)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Magical Posts Display – Elementor Advanced Posts widgets Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_mgpd_ajax_filter_postsincludes\class-ajax-handler.php:24
noprivwp_ajax_mgpd_ajax_filter_postsincludes\class-ajax-handler.php:25
authwp_ajax_mgpd_infinite_scroll_postsincludes\class-ajax-handler.php:26
noprivwp_ajax_mgpd_infinite_scroll_postsincludes\class-ajax-handler.php:27
WordPress Hooks 25
actionadmin_noticesadmin\admin-page\admin-info.php:16
actioninitadmin\admin-page\admin-info.php:17
actionadmin_noticesadmin\admin-page\admin-info.php:18
actionadmin_noticesadmin\admin-page\admin-info.php:19
actionadmin_noticesadmin\admin-page\admin-info.php:20
actioninitadmin\admin-page\admin-info.php:21
actionwsa_form_top_magical_ptab_homeadmin\admin-page\admin-page.php:17
actionadmin_initadmin\admin-page\admin-page.php:18
actionadmin_menuadmin\admin-page\admin-page.php:19
actionadmin_enqueue_scriptsadmin\admin-page\class.settings-api.php:32
actionadmin_noticesadmin\extra-function.php:74
actionadmin_enqueue_scriptsincludes\class-assets-manager.php:23
actionenqueue_block_assetsincludes\class-assets-manager.php:24
actionenqueue_block_assetsincludes\class-assets-manager.php:25
actionenqueue_block_editor_assetsincludes\class-assets-manager.php:26
actionwp_headincludes\class-hooks-handler.php:28
actionelementor/widgets/registerincludes\elementor\elementor-main.php:14
actionelementor/elements/categories_registeredincludes\elementor\elementor-main.php:15
actionelementor/frontend/after_enqueue_stylesincludes\elementor\elementor-main.php:16
actionelementor/frontend/after_enqueue_scriptsincludes\elementor\elementor-main.php:17
actionelementor/editor/after_enqueue_stylesincludes\elementor\elementor-main.php:18
actionwp_headincludes\mp-posts-function.php:107
actionwp_headincludes\mp-posts-function.php:108
actionwidgets_initincludes\widgets\recent-posts-widget.php:239
actionplugins_loadedmagical-posts-display.php:95
Maintenance & Trust

Magical Posts Display – Elementor Advanced Posts widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 17, 2026
PHP min version7.4
Downloads210K

Community Trust

Rating88/100
Number of ratings10
Active installs3K
Alternatives

Magical Posts Display – Elementor Advanced Posts widgets Alternatives

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

the-post-grid

A
96

Display WordPress posts in beautiful grid, list, slider, and filter layouts. Works with Gutenberg, Elementor, Divi, and Shortcodes.

100K 11 CVEs
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Post Sliders & Post Grids

Post Sliders & Post Grids

post-slider-carousel

A
100

Post Slider & Grid is beautiful responsive post thumbnail image slider and also support post grid display.It support post exclusion/inclusion, Cat &hellip;

1K 1 CVE
FA Lite – WP responsive slider plugin

FA Lite – WP responsive slider plugin

featured-articles-lite

A
85

WordPress slider plugin for Featured Content that can create responsive, video enabled sliders from your existing WordPress content.

600 No CVEs
Content Grid Slider

Content Grid Slider

content-grid-slider

B
78

A fully responsive carousel type Content Slider with Grid layout. Showcase and spotlight your services or products with this awesome slider.

50 1 unpatched
Developer Profile

Magical Posts Display – Elementor Advanced Posts widgets Developer Profile

Noor Alam

102 plugins · 29K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
233 days
View full developer profile
Detection Fingerprints

How We Detect Magical Posts Display – Elementor Advanced Posts widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/magical-posts-display/assets/css/owl.carousel.min.css/wp-content/plugins/magical-posts-display/assets/css/elementor-frontend.css/wp-content/plugins/magical-posts-display/assets/css/elementor-icons.css/wp-content/plugins/magical-posts-display/assets/css/flaticon.css/wp-content/plugins/magical-posts-display/assets/css/frontend.css/wp-content/plugins/magical-posts-display/assets/css/style.css/wp-content/plugins/magical-posts-display/assets/js/frontend.js/wp-content/plugins/magical-posts-display/assets/js/frontend-scripts.js+5 more
Version Parameters
magical-posts-display/assets/css/owl.carousel.min.css?ver=magical-posts-display/assets/css/elementor-frontend.css?ver=magical-posts-display/assets/css/elementor-icons.css?ver=magical-posts-display/assets/css/flaticon.css?ver=magical-posts-display/assets/css/frontend.css?ver=magical-posts-display/assets/css/style.css?ver=magical-posts-display/assets/js/frontend.js?ver=magical-posts-display/assets/js/frontend-scripts.js?ver=magical-posts-display/assets/js/elementor.js?ver=magical-posts-display/assets/js/isotope.js?ver=magical-posts-display/assets/js/magnific-popup.js?ver=magical-posts-display/assets/js/owl.carousel.min.js?ver=magical-posts-display/assets/js/wow.js?ver=

HTML / DOM Fingerprints

CSS Classes
magical-post-display-frontendmagical-post-contentmagical-post-wrappermpd-post-gridmpd-post-listmpd-masonry-gridmpd-slidermpd-carousel
Data Attributes
data-mpd-settings
JS Globals
magical_posts_display_frontend_ajax
Shortcode Output
[magical_posts_display
FAQ

Frequently Asked Questions about Magical Posts Display – Elementor Advanced Posts widgets