Description
The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fancy Testimonials plugin for WordPress contains a stored XSS flaw that is triggered by the 'author' shortcode attribute. Because the input is not sanitised or escaped, an attacker who can contribute content can embed malicious JavaScript that is stored and later rendered on pages that display the testimonial. When a victim visits the page, the script runs in the victim's browser, potentially stealing cookies, hijacking sessions, or performing other client‑side attacks. The vulnerability does not grant server‑side code execution or direct database access, but it can lead to phishing, defacement, or credential theft.

Affected Systems

WordPress sites that have the dijitul Fancy Testimonials plugin installed and use a version up to and including 1.0. The flaw applies to all installations of those versions, regardless of WordPress theme or configuration.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate impact, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in CISA’s KEV catalog. Attackers need a Contributor‑level account or higher within WordPress to inject the payload, and they must be able to add or edit a testimonial via the plugin’s interface. Once the malicious content is stored, any unauthenticated visitor who views the page will be exposed to the injected script, so the risk is amplified by the wide reach of the affected pages.

Generated by OpenCVE AI on June 18, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fancy Testimonials to the latest available version.
  • If an update cannot be performed immediately, disable the author shortcode or restrict Contributor access to the plugin’s testimonial editing functions.
  • Review existing testimonials for embedded scripts and remove any malicious code before publishing.

Generated by OpenCVE AI on June 18, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T13:02:09.287Z

Reserved: 2026-05-06T15:57:42.436Z

Link: CVE-2026-8039

cve-icon Vulnrichment

Updated: 2026-06-18T13:02:04.339Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')