Description
The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting with contributor-or-higher access
Action: Patch
AI Analysis

Impact

The Majestic Before After Image plugin fails to properly sanitize or escape the content entered in its before_label and after_label fields. Consequently, any text submitted by an authenticated user with contributor or higher privileges is stored unchanged in the database and rendered as part of the page markup when the page is viewed. An attacker can therefore inject arbitrary JavaScript that executes in the victim’s browser, enabling session hijacking, phishing, or other client‑side attacks.

Affected Systems

WordPress sites that have the Majestic Before After Image plugin installed with a version of 2.0.1 or earlier. The vulnerability affects all releases up to that version regardless of the WordPress core version.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be logged in with contributor or higher privileges and to submit malicious content via the plugin’s label fields; once stored, the payload will run whenever any user visits the affected page.

Generated by OpenCVE AI on April 21, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Majestic Before After Image plugin to a version newer than 2.0.1 (e.g., 2.0.2 or later).
  • If a patch is not immediately available, remove contributor or higher privileges from users who do not need to edit the plugin’s label fields, or explicitly disable editing of before_label and after_label for those roles.
  • At the code level, ensure that values stored in before_label and after_label are properly sanitized and escaped (for example, by using WordPress esc_html or esc_js functions) before they are written to the database or rendered in the template.

Generated by OpenCVE AI on April 21, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32418 The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Majestic Before After Image <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:50.227Z

Reserved: 2025-08-14T10:41:34.788Z

Link: CVE-2025-9030

cve-icon Vulnrichment

Updated: 2025-10-06T14:13:04.765Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T03:15:38.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses