CVE-2025-68075 - Vulnerability Details

Description

Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.

Published: 2026-06-26

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Contributor Cross Site Scripting (XSS) in BNE Testimonials plugin allows an attacker to inject arbitrary JavaScript via unfiltered user input, leading to potential session hijacking, site defacement, or phishing attacks against visitors.

Affected Systems

Kerry’s BNE Testimonials plugin for WordPress, any installation using version 2.0.8 or earlier, is affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Exploitation is straightforward because the vulnerability occurs in an input field that is accessible to non‑authenticated users submitting testimonials. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that while exploitation is possible, it has not yet been widely observed. Sites that allow public testimonial submissions or administrative contribution are at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kerry

BNE Testimonials

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 2.0.8

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the BNE Testimonials plugin to the latest version that addresses the XSS flaw.
If an update is not immediately available, remove or disable the testimonial functionality to prevent untrusted input from being displayed.
When using the plugin, ensure that all testimonial content is properly escaped before rendering, for instance by using WordPress’s esc_html() or wp_kses() functions, and limit testimonial creation permission to trusted users only.

Generated by OpenCVE AI on June 26, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00161.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/bne-testimonials/vulnerability/wordpress-bne-testimonials-plugin-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Fri, 26 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
Title		WordPress BNE Testimonials plugin <= 2.0.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/plugin/bne-testimonials/vulnerability/wordpress-bne-testimonials-plugin-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-06-26T14:52:17.144Z

Updated: 2026-06-26T14:52:17.144Z

Reserved: 2025-12-15T10:01:24.072Z

Link: CVE-2025-68075

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68075", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:24.072Z", "datePublished": "2026-06-26T14:52:17.144Z", "dateUpdated": "2026-06-26T14:52:17.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-06-26T14:52:17.144Z"}, "title": "WordPress BNE Testimonials plugin <= 2.0.8 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Kerry", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bne-testimonials", "product": "BNE Testimonials", "versions": [{"lessThanOrEqual": "2.0.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions."}], "value": "Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions."}], "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/bne-testimonials/vulnerability/wordpress-bne-testimonials-plugin-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object