Description
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
Published: 2025-12-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity – Unauthorized Modification
Action: Patch
AI Analysis

Impact

The Strong Testimonials plugin for WordPress contains a missing capability check in its 'edit_rating' function. This flaw allows any authenticated user with Contributor-level access to modify or delete the rating meta on any testimonial post, regardless of ownership. The vulnerability is classified as a missing authorization (CWE‑862) and directly compromises the integrity of testimonial ratings, potentially skewing displayed data and misleading site visitors.

Affected Systems

All installations of the Strong Testimonials plugin up to and including version 3.2.18 are affected. The impact is limited to the WordPress plugin and does not extend to the core CMS or other plugins.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, primarily due to the limited scope of the flaw and the need for authenticated access. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is very low at present, and the vulnerability is not listed in CISA's KEV catalog. However, the attack vector requires only a valid WordPress nonce, which can be obtained from a contributor's own testimonial edit screen, making the exploitation path straightforward for attackers who already have Contributor or higher privileges. Consequently, sites with exposed Contributor roles are at low to moderate risk of data integrity compromise.

Generated by OpenCVE AI on April 20, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Strong Testimonials plugin to version 3.2.19 or later, which includes the missing authorization check.
  • If an immediate update is not possible, restrict the Contributor role or remove users who do not require rating modification permissions.
  • Verify that only users with the appropriate Edit Ratings capability can modify testimonial meta, and consider implementing custom role checks if the plugin does not provide granular control.

Generated by OpenCVE AI on April 20, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill strong Testimonials
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill strong Testimonials

Tue, 30 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
Title Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpchill Strong Testimonials
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:32.717Z

Reserved: 2025-12-10T01:58:29.132Z

Link: CVE-2025-14426

cve-icon Vulnrichment

Updated: 2025-12-30T12:52:17.854Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T13:16:22.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses