WordPress Plugin Vulnerabilities

Testimonials <= 3.0.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters available to users with a role as low as contributor, allowing them to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
testimonials
No known fix

References

CVE
CVE-2022-33191

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
97f7ba3b-00c2-4a8b-97da-8145986991ff

Timeline

Publicly Published
2022-07-19 (about 3 years ago)
Added
2022-07-25 (about 3 years ago)
Last Updated
2022-08-25 (about 3 years ago)

Other

Published
Title
Published
2024-11-25
Title
BNE Gallery Extended < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode
Published
2025-01-10
Title
SlideDeck 1 Lite Content Slider <= 1.4.8 - Reflected XSS
Published
2025-09-26
Title
Simple Meta Tags <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-04-13
Title
WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS
Published
2014-08-01
Title
2-Click-Socialmedia-Buttons < 0.35 - Cross Site Scripting