CVE-2025-11268 - Vulnerability Details

- Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution

Description

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

Published: 2025-11-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The plugin is vulnerable to arbitrary shortcode execution in all versions up to and including 3.2.16 due to lack of validation when a testimonial value is passed to do_shortcode. This flaw allows an unauthenticated attacker to craft a testimonial that triggers the execution of any shortcode during the preview or publish process. The vulnerability is tied to CWE‑79 and can lead to unexpected behavior or code execution if the attacker supplies a malicious shortcode.

Affected Systems

All users of the WordPress “Strong Testimonials” plugin version 3.2.16 or older are affected. This includes any site that has installed the plugin and has not yet upgraded to a later version. Site administrators who allow testimonial submissions could be impacted when an attacker submits a crafted testimonial.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of <1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely HTTP through the testimonial submission form; an attacker only needs to submit a malicious testimonial and does not require authenticated access. If the shortcode processor evaluates code, this could enable arbitrary execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpchill

Strong Testimonials

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.2.16

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wpchill	Strong Testimonials	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Strong Testimonials plugin to the latest available version, removing the input validation issue.
Audit and clean existing testimonials to remove any stored shortcodes or malicious content.
If possible, temporarily disable testimonial submissions or restrict the allowed shortcode list until an update is applied.

Generated by OpenCVE AI on April 21, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials
https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve

History

Thu, 06 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpchill Wpchill strong Testimonials
Vendors & Products		Wordpress Wordpress wordpress Wpchill Wpchill strong Testimonials

Thu, 06 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 06 Nov 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.
Title		Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpchill Strong Testimonials

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-06T08:26:27.860Z

Updated: 2026-04-08T17:23:38.359Z

Reserved: 2025-10-03T19:03:57.976Z

Link: CVE-2025-11268

Vulnrichment

Updated: 2025-11-06T14:44:47.081Z

NVD

Status : Deferred

Published: 2025-11-06T09:15:33.197

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11268

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object