Description
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Reflected XSS
Action: Apply Upgrade
AI Analysis

Impact

The Testimonial Master plugin for WordPress contains a reflected cross‑site scripting flaw that occurs when the value of the $_SERVER['PHP_SELF'] variable is output without proper escaping. An unauthenticated attacker can inject arbitrary JavaScript by crafting a malicious URL that, when a victim follows it, embeds the script into the page. This can lead to phishing, credential theft, or site defacement in the victim’s browser.

Affected Systems

The vendor fpcorso provides the Testimonial Master plugin for WordPress. All releases up to and including version 0.2.1 contain the vulnerability; no patched release is available in the data. Users who have not upgraded beyond 0.2.1 are at risk.

Risk and Exploitability

The CVSS score of 6.1 denotes medium severity. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and requires no authentication; an attacker only needs to send a crafted link or embed the URL in phishing content to exploit the flaw.

Generated by OpenCVE AI on April 22, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Testimonial Master to a version newer than 0.2.1.
  • If no newer version exists, disable or uninstall the plugin to eliminate the risk.
  • Apply a site‑wide content security policy that disallows inline scripts and limits script sources to mitigate the impact of any residual XSS.

Generated by OpenCVE AI on April 22, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:03.045Z

Reserved: 2025-12-05T16:59:24.957Z

Link: CVE-2025-14127

cve-icon Vulnrichment

Updated: 2026-01-07T15:50:42.145Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:53.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses