The visitor can import the self-signed certificate, so that it becomes trusted and after that MITM won't be possible without certificate errors.

However, this won't help if the certificate is already forged the first time the visitor connects to the site.