The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross‑Site Scripting via the 'fx' shortcode attribute. The vulnerability stems from insufficient input sanitization and missing output escaping when user‑supplied attributes are processed. An attacker who can authenticate with a Contributor role or higher can inject arbitrary JavaScript into pages that use the testimonials shortcode. When a user visits the affected page, the injected script runs in that user’s browser, potentially enabling defacement, cookie theft, or other malicious client‑side actions. The impact is limited to the authenticated author but can affect all visitors of any page containing the injected testimonial. The CVSS score of 6.4 indicates a medium severity risk.

Vendors of note are Canto Themes. The product impacted is Canto Testimonials, specifically all releases up to and including version 1.0. No later versions are listed as affected, implying that a newer release may no longer contain the flaw. If an organization is running any of the affected releases, it must determine whether the application is accessible to contributors with write privileges.

The CVSS score of 6.4 combined with an EPSS score of less than one percent suggests that while the vulnerability is medium in severity, it is unlikely to be widely exploited at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred: an authenticated contributor would edit or create a testimonial entry that includes the 'fx' shortcode containing malicious script. Once the entry is stored, any visitor to that page would execute the code. Defensive measures are therefore most relevant for sites allowing contributor editing of testimonials.