CVE-2025-9030 identifies a stored cross-site scripting vulnerability in the Majestic Before After Image plugin for WordPress, specifically in versions up to 2.0.1. The issue stems from insufficient sanitization and escaping of user-supplied input in the 'before_label' and 'after_label' parameters. These parameters are used to label images in a before-and-after comparison feature. Because the plugin fails to properly neutralize malicious input, authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code that is stored persistently in the WordPress database. When any user, including administrators or visitors, accesses a page containing the injected labels, the malicious script executes in their browser context. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other client-side attacks. The vulnerability requires authentication but no additional user interaction, and the attack complexity is low due to the straightforward injection vector. The CVSS 3.1 base score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is used on WordPress sites worldwide, and the vulnerability affects all versions up to 2.0.1 without available patches at the time of disclosure.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Malicious scripts injected via the stored XSS can hijack user sessions, steal sensitive information such as authentication tokens, or perform unauthorized actions on behalf of users. This can lead to account takeover, data leakage, or defacement of websites, damaging organizational reputation and user trust. Since the vulnerability requires contributor-level access, attackers must first compromise or gain such privileges, which may be easier on sites with weak access controls or social engineering risks. The scope includes all users who visit pages containing the injected payload, potentially affecting administrators and visitors alike. Although availability is not impacted, the indirect consequences of exploitation can disrupt normal operations and require incident response efforts. Organizations running the vulnerable plugin face increased risk of targeted attacks, especially those with active user communities or sensitive data handled via their WordPress sites.

Organizations should immediately assess their WordPress installations for the presence of the Majestic Before After Image plugin and verify the version in use. If running version 2.0.1 or earlier, they should upgrade to a patched version once available or remove the plugin if no update exists. In the interim, administrators can mitigate risk by restricting contributor-level access strictly to trusted users, implementing strong authentication and monitoring for suspicious activity. Applying web application firewall (WAF) rules to detect and block malicious payloads targeting the 'before_label' and 'after_label' parameters can reduce exploitation likelihood. Additionally, site owners should audit existing content for injected scripts and sanitize or remove any suspicious labels. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regular security training for contributors and monitoring plugin updates from the vendor are also recommended to prevent future vulnerabilities.