Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Administrator-level WordPress access maps to PR:H; description explicitly names this role, making the provided PR:L appear to understate the privilege barrier.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.
AnalysisAI
Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
The Ultimate Before After Image Slider & Gallery plugin exposes a BEAF Slider widget configurable via WordPress's shortcode or block editor interfaces. The underlying flaw is that the plugin passes the user-supplied shortcode field value directly through WordPress core's do_shortcode() function and then outputs its return value to the page without applying wp_kses, esc_html, or any equivalent output escaping. WordPress's do_shortcode() is designed to execute registered shortcode handlers and return their output; critically, content that does not match any registered shortcode tag is returned verbatim - making it an unsafe rendering path for untrusted input. This creates a persistent (stored) XSS sink. Although no CWE was formally assigned, the root cause maps squarely to CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected CPE is cpe:2.3:a:unknown:ultimate_before_after_image_slider_&_gallery:*:*:*:*:*:*:*:*, covering all releases prior to 4.7.1.
RemediationAI
Update the Ultimate Before After Image Slider & Gallery WordPress plugin to version 4.7.1 or later, which is confirmed by WPScan to address the missing output escaping in the BEAF Slider widget's shortcode field rendering path. The advisory is available at https://wpscan.com/vulnerability/754f0960-efc8-426f-bb1d-7cceec920910/. If immediate patching is not feasible, restrict configuration of the BEAF Slider widget exclusively to fully trusted administrator accounts and audit all existing BEAF Slider widget instances for injected script payloads - check the shortcode field of every widget instance across all pages and posts. In WordPress multisite environments, consider temporarily disabling the plugin network-wide until the patch can be applied, as sub-site administrators represent a lower-trust population. Note that restricting widget access does not remove already-stored payloads; a manual audit of existing widget configurations is required as a compensating control.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210458
GHSA-h7cp-867p-67hq