Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting using the Stars Testimonials plugin
Action: Update Plugin
AI Analysis

Impact

The Stars Testimonials plugin stores user input directly into the database without proper output encoding, allowing an attacker to inject malicious JavaScript that will be served to any site visitor. This stored XSS can lead to session hijacking, credential theft, defacement, or the execution of arbitrary code within the victim’s browser context. The weakness is a classic input validation failure corresponding to CWE‑79.

Affected Systems

WordPress sites that have installed the Stars Testimonials plugin, any version up to and including 3.3.4. Updates to later releases remove the vulnerability and must be applied in all affected deployments.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity. Its EPSS score is below 1% and it is not listed in CISA’s KEV catalog, suggesting exploitation is currently rare but not impossible. An attacker would need to submit malicious content through the plugin’s comment or testimonial entry interface, typically requiring authenticated access or an exposed front‑end form that accepts user input.

Generated by OpenCVE AI on April 27, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Stars Testimonials plugin that contains the XSS fix.
  • If a newer plugin release is unavailable, remove the testimonial entry fields that allow unchecked user input and replace them with sanitized input controls.
  • Disable or uninstall the plugin entirely if it is not required for site functionality.

Generated by OpenCVE AI on April 27, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials allows Stored XSS.This issue affects Stars Testimonials: from n/a through 3.3.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4.
References

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials allows Stored XSS.This issue affects Stars Testimonials: from n/a through 3.3.4.
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4.
Title WordPress Stars Testimonials plugin <= 3.3.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:26:19.529Z

Reserved: 2025-12-15T09:59:40.762Z

Link: CVE-2025-67912

cve-icon Vulnrichment

Updated: 2025-12-16T20:46:48.859Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:59.180

Modified: 2026-06-17T09:58:15.050

Link: CVE-2025-67912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')