WordPress Plugin Vulnerabilities

WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape the wh_homepage, wh_text_short and wh_text_full parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
wh-testimonials
No known fix

References

CVE
CVE-2023-1372
URL
https://danielkelley.me/wh-testimonials-reflected-xss-vulnerability-via-wh-homepage-parameter-in-version-3-0-0-and-below/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Daniel Kelley
Verified
Yes
WPVDB ID
7f8e4a22-4349-483e-8071-07292ae96730

Timeline

Publicly Published
2023-03-11 (about 3 years ago)
Added
2023-03-13 (about 3 years ago)
Last Updated
2023-03-13 (about 3 years ago)

Other

Published
Title
Published
2025-12-11
Title
WP Flot <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2023-03-20
Title
TreePress – Easy Family Trees & Ancestor Profiles < 3.0.0 - Admin+ Stored Cross-Site Scripting
Published
2025-12-30
Title
Academy LMS < 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-06-25
Title
WordPress Landing Pages <= 1.8.7 - Unspecified Cross-Site Scripting (XSS)
Published
2026-02-03
Title
Reflector < 1.2.3 - Reflected Cross-Site Scripting