Strong Testimonials < 3.1.12 – Contributor+ Stored XSS | CVE 2024-3261

Description

The plugin does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed

Proof of Concept

Setup (as admin):
- Create a view (/wp-admin/edit.php?post_type=wpm-testimonial&page=testimonial-views)
-  In the "Custom Fields" section, click on the "Full Name" and set "Display Type" to "link(must be URL type)"
- Save the view, and put its shortcode (eg [testimonial_view id="1"]) in a post/page

As Contributor:
- add a testimonial, set the Full Name to 123"onmouseover='alert(/XSS/)'
- Submit the testimonial for review (or publish it if using an Author+ role)

Once the testimonial is approved/published, the XSS will be triggered in the post where the view is embed and a user move the mouse over the generated testimonial link.

The attack could also be done via an Author role, to not have to wait for an admin to approve the testimonial.