Description
The Testimonial Post type plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin parameter
Action: Update Plugin
AI Analysis

Impact

The Testimonial Post type plugin for WordPress allows an authenticated user with Contributor role or higher to store malicious scripts through the auto_play parameter. Because the plugin fails to sanitize or escape this input, the injected code is persisted and will execute in the browser whenever the affected page is viewed, leading to potential theft of session cookies, defacement, or other client‑side compromise. This is a classic stored XSS flaw (CWE‑79) that can be leveraged by any user who can create or edit testimonial posts.

Affected Systems

The vulnerability is present in all releases of the Testimonial Post type plugin up to and including version 1.2.1; the vendor is identified as juiiee8487. Any WordPress site running a vulnerable version is affected; newer releases beyond 1.2.1 are not known to contain this issue.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a very low likelihood of exploitation at this time, and the defect is not listed in CISA’s KEV catalog. The attack vector is inferred to be via the WordPress administrative interface; an authenticated Contributor or higher user must submit a testimonial containing malicious script, after which any visitor to that testimonial will be exposed to the XSS effect. The impact is limited to browsers that render the injected content, and an attacker cannot elevate privileges or compromise the server directly.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Testimonial Post type plugin to the latest available version or apply the vendor–supplied patch that sanitizes the auto_play parameter.
  • If the plugin is not required, disable or delete it to remove the attack surface.
  • Ensure WordPress core, themes, and other plugins are updated to their latest secure versions, reducing the risk of unrelated vulnerabilities that could compound the exploit.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21846 The Testimonial Post type plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Testimonial Post type plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Testimonial Post type <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:00.733Z

Reserved: 2025-06-06T09:24:35.419Z

Link: CVE-2025-5800

cve-icon Vulnrichment

Updated: 2025-07-18T14:01:07.033Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T06:15:26.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses