Description
Cross-Site Request Forgery (CSRF) vulnerability in Prakash Awesome Testimonials awesome-testimonials allows Stored XSS.This issue affects Awesome Testimonials: from n/a through <= 2.2.1.
Published: 2025-10-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Awesome Testimonials plugin for WordPress contains a CSRF flaw that allows an attacker to inject malicious JavaScript into testimonial data. When a forged request is processed, the attacker can store arbitrary script that is later rendered to site visitors, enabling execution of client‑side code when the testimonial is viewed.

Affected Systems

The vulnerability affects the Prakash Awesome Testimonials plugin for WordPress for all versions up to and including 2.2.1. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a high‑severity flaw, yet the EPSS score of <1% suggests a low probability that an exploit is currently in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. The CVE description indicates that a forged request can cause malicious script to be stored and subsequently rendered to visitors, resulting in client‑side code execution. The exact target endpoint is not specified, but the flaw is a web‑based CSRF that can lead to stored XSS.

Generated by OpenCVE AI on April 30, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Awesome Testimonials plugin to a version newer than 2.2.1 where the CSRF and stored XSS flaw is fixed.
  • If an immediate update is not possible, limit administrative access to the testimonial interface and remove users with capability to create or edit testimonials until the patch is applied.
  • As a temporary workaround, configure the plugin or a security plugin to sanitize testimonial input by stripping JavaScript or using a whitelist of allowed tags, and enforce a CSRF token check on form submissions.

Generated by OpenCVE AI on April 30, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Prakash Awesome Testimonials awesome-testimonials allows Stored XSS.This issue affects Awesome Testimonials: from n/a through <= 2.2.1.
Title WordPress Awesome Testimonials plugin <= 2.2.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.357Z

Reserved: 2025-10-24T14:24:41.997Z

Link: CVE-2025-62933

cve-icon Vulnrichment

Updated: 2025-10-27T15:13:56.750Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:53.123

Modified: 2026-04-27T17:16:35.433

Link: CVE-2025-62933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses