Description
WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‐site scripting flaw in the "post_title" parameter of the WordPress plugin Testimonial Slider and Showcase. Unsanitized input allows an authenticated editor to inject JavaScript into the testimonial title, which executes when other users view the draft post. This can enable cookie theft and session hijacking on the visitor’s browser.

Affected Systems

The affected product is the RadiusTheme Testimonial Slider and Showcase plugin for WordPress, version 2.2.6. Only users with editor privileges in WordPress can exploit the flaw, as the injection occurs during testimonial creation or editing within the admin interface.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires a valid editor account or the ability to add a testimonial, so the threat surface is limited to sites with editor roles or compromised credentials. Once exploited, the injected script runs in the context of any user viewing the affected testimonial, which can lead to cookie theft and session hijacking. The risk is moderate but the impact on visitor data and session integrity can be significant.

Generated by OpenCVE AI on May 10, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Testimonial Slider and Showcase plugin to a version that properly sanitizes the testimonial title field.
  • Restrict or remove the capability that allows editors to create or edit testimonials, reducing the window for injection.
  • Inspect existing testimonial titles for illicit script tags and remove or sanitize any malicious content.

Generated by OpenCVE AI on May 10, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.
Title WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS
First Time appeared Radiustheme
Radiustheme testimonial Slider And Showcase
Weaknesses CWE-79
CPEs cpe:2.3:a:radiustheme:testimonial_slider_and_showcase:2.2.6:*:*:*:*:wordpress:*:*
Vendors & Products Radiustheme
Radiustheme testimonial Slider And Showcase
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Radiustheme Testimonial Slider And Showcase
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:47.683Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50947

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.523

Modified: 2026-05-10T13:16:32.523

Link: CVE-2022-50947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:00:13Z

Weaknesses