The vulnerability is located in the Magical Posts Display plugin, specifically within the 'Magical Posts Accordion' widget. The 'mpac_title_tag' parameter accepts HTML tag names without proper validation, enabling attackers with Author-level access or higher to inject harmful scripts. These scripts are stored in the database and trigger whenever a user visits the affected page, potentially leading to session hijacking or escalation of privilege attacks. Insufficient input sanitization and output escaping are the root causes, allowing arbitrary JavaScript execution in the browser context of other users. As the scripts are stored, any user with access to the affected pages can be at risk of script execution, including users with administrative privileges. This vulnerability underscores the importance of rigorous input validation and output escaping to prevent cross-site scripting exploits.

To mitigate this vulnerability, user input must be thoroughly sanitized and properly escaped, particularly for parameters like 'mpac_title_tag' that accept HTML content. Limit user capabilities by ensuring that only trusted users have Author-level access. Regularly audit and update plugins to reduce exposure to known vulnerabilities.