The Client Testimonial Slider plugin for WordPress contains a stored Cross‑Site Scripting flaw (CWE‑79) resulting from inadequate sanitization and output escaping of the 'aft_testimonial_meta_name' custom field in the Client Information metabox. The plugin saves any content entered into this field to the database and later renders it unfiltered on the administrative testimonial page. Authenticated contributors or higher privilege users can therefore inject arbitrary JavaScript, which will execute in the browsers of any visitor viewing that page, enabling defacement, cookie theft, or execution of further malicious payloads.

The Client Testimonial Slider WordPress plugin is affected, all versions up to and including 2.0. No particular sub‑versions are singled out; the issue exists across the entire range of 2.0 and earlier releases.

The CVSS score of 6.4 suggests moderate severity, and an EPSS score of less than 1% signals a low likelihood of active exploitation at the time of this analysis. The vulnerability is not listed in CISA's KEV catalog. Because exploitation requires a Contributor‑level authenticated user, the attack vector is internal. An attacker would likely gain access through compromised user credentials or social engineering and then load the malicious testimonial page to trigger the stored payload. The resulting impact is limited to users who view the administrative testimonial page but can facilitate further lateral movement or data theft if additional privileges are available.