Description
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Strong Testimonials plugin for WordPress, where insufficient input sanitization and output escaping in the testimonial custom fields allows an authenticated user with Author-level access or higher to inject arbitrary scripts into pages. These injected scripts execute automatically whenever a page containing the testimonial is rendered in a visitor’s browser, exposing that visitor to malicious code. The weakness is a classic stored Cross‑Site Scripting flaw, commonly labeled CWE‑79.

Affected Systems

All installations of wpchill Strong Testimonials version 3.2.11 or earlier are affected. The flaw exists in the custom fields functionality of the plugin; the issue is not limited to a specific host environment but applies to any WordPress site running the vulnerable plugin version.

Risk and Exploitability

The CVSS base score is 6.4, indicating a moderate severity. The EPSS score is reported as less than 1%, signifying a very low likelihood of exploitation under current observations. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread active exploitation is known. The attack can be performed remotely via the WordPress administrative interface, requiring only author‑level authentication; once an author injects a payload, any site visitor will be subject to the XSS effect.

Generated by OpenCVE AI on April 21, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strong Testimonials to the latest version that addresses the input sanitization and output escaping issue.
  • If an upgrade is not immediately possible, limit the number of users with Author or higher permissions and monitor the custom fields for suspicious content.
  • In the interim, consider removing or disabling the custom fields feature or sanitizing stored data manually through additional filtering hooks until the official fix is applied.

Generated by OpenCVE AI on April 21, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21414 The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

Tue, 15 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Strong Testimonials <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpchill Strong Testimonials
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:45.025Z

Reserved: 2025-07-08T18:59:25.844Z

Link: CVE-2025-7367

cve-icon Vulnrichment

Updated: 2025-07-15T13:33:14.049Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T05:15:30.247

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:15:26Z

Weaknesses