A missing authorization check in the WordPress Strong Testimonials plugin allows attackers to bypass intended access controls. The vulnerability, classified as CWE‑862, could enable an attacker with any level of web access to use plugin endpoints that should be restricted. This could let them read, create, edit, or delete testimonials or otherwise manipulate data stored by the plugin, compromising data integrity and confidentiality. Without proper privilege checks, even users with limited permissions might gain full control over the plugin's functions.

The flaw affects the WP Chill Strong Testimonials WordPress plugin through version 3.2.20 and earlier. All installations that have not upgraded past this version remain vulnerable. The vulnerability is tied to the plugin’s access‑control configuration, so systems running any of these versions without adequate safeguards are at risk.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation in the wild, and the issue is not referenced in the CISA Known Exploited Vulnerabilities catalog. The attack vector is not explicitly detailed, but the description implies that exploiting the flaw would involve interacting with the plugin’s administrative interfaces, typically through web requests. While the exact prerequisites are unclear, it is reasonable to infer that some level of authenticated access may be required, or that the vulnerability could be leveraged by a malicious actor who can send crafted requests to the plugin’s endpoints.