CVE-2026-3239 - Vulnerability Details

- Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode

Description

The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-04-08

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper handling of attributes supplied to the testimonial_view shortcode in the Strong Testimonials plugin. An authenticated contributor or higher can inject arbitrary JavaScript that is stored and subsequently executed whenever any user accesses a page containing that shortcode. This enables an attacker to hijack sessions, steal credentials, deface content, or redirect users, thereby compromising confidentiality, integrity, and potentially availability.

Affected Systems

The weakness impacts the Strong Testimonials plugin for WordPress released by wpchill. All versions up to and including 3.2.21 are affected and the flaw is tied specifically to the testimonial_view shortcode embedded in plugin templates.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability that requires authenticated access, suggesting that privileged users can exploit it. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, so its exploitation probability is unknown. Attackers typically need to obtain or create a contributor-level account and then inject malicious attributes into the shortcode within a page or post. Because the flaw is stored and executed on page load, widespread exploitation could occur if sites are not patched promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpchill

Strong Testimonials

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.2.21

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpchill

Strong Testimonials

100%

Version	Status	Scheme	Platform
`[0,3.2.21]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Strong Testimonials to version 3.2.22 or later
Revoke or restrict contributor permissions if patching cannot be applied immediately
Remove the testimonial_view shortcode from all pages until the issue is fixed
Validate and sanitize all user‑supplied shortcode attributes on the site to prevent script injection

Generated by OpenCVE AI on April 8, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials
https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve

History

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpchill Wpchill strong Testimonials
Vendors & Products		Wordpress Wordpress wordpress Wpchill Wpchill strong Testimonials

Wed, 08 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpchill Strong Testimonials

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-08T04:27:16.978Z

Updated: 2026-04-08T17:05:19.972Z

Reserved: 2026-02-26T00:53:07.701Z

Link: CVE-2026-3239

Vulnrichment

Updated: 2026-04-08T15:06:59.189Z

NVD

Status : Deferred

Published: 2026-04-08T05:16:05.567

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3239

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:43:57Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object