CVE-2025-8391

The Magic Edge – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of the 'height' parameter in its shortcode [1]. The shortcode attributes are directly taken from user input without validation [2], allowing malicious script injection.

Authenticated attackers with Contributor-level access or higher can exploit this by crafting a post or page containing the vulnerable shortcode with a malicious 'height' value. When any user (including administrators) views the affected page, the injected script executes in their browser, because the output is not escaped before being rendered.

Successful exploitation could lead to session cookie theft, account takeover, defacement, or redirection to malicious sites. The attacker does not need any special network position beyond being able to create or edit posts.

The plugin was closed on July 31, 2025, and is no longer available for download. No patch is provided; users should immediately remove the plugin and consider alternative solutions for background removal in WordPress [1].