The Quick Testimonials plugin for WordPress allows administrators to configure testimonial settings that are stored without proper sanitization or escaping, creating a stored cross‑site scripting flaw. An attacker with administrator‑level credentials can inject arbitrary JavaScript that is rendered whenever a site visitor loads a page containing the testimonial. This code executes in the context of the site and can lead to cookie theft, session hijacking, defacement, or further client‑side attacks. The weakness is classified as CWE‑79.

All releases of the Quick Testimonials plugin from the vendor themeregion up to and including version 2.1 are affected. The flaw is limited to multi‑site WordPress installations where the unfiltered_html capability has been disabled, a common security configuration for shared hosting environments. Any administrator or higher‑privileged user on any site within the network can configure the vulnerable fields and set the injected payload.

The CVSS v3.1 score of 4.4 places the issue in the low severity range, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, further reducing immediate threat. However, because exploitation requires authenticated administrator access, the impact scales with the trust level and number of such accounts. If an attacker gains those credentials, the injected script can affect all visitors to affected pages, potentially compromising user data and damaging site reputation. The attack path requires only standard WordPress administrative access, which can be achieved remotely via legitimate credentials or credential compromise.