WordPress Plugin Vulnerabilities

GS Testimonial Slider < 3.3.1 - Missing Authorization

Description

The GS Testimonial Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_shortcode_pref() function in versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update shortcode preferences.

Affects Plugins

Plugin icon
gs-testimonial
Fixed in 3.3.1

References

CVE
CVE-2025-47467
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5eecb3-b001-4a07-806d-5d4a39622853

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
domiee13
Verified
No
WPVDB ID
a87227cd-87a8-4114-a133-63db641ff39a

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-12 (about 1 year ago)
Last Updated
2025-05-12 (about 1 year ago)

Other

Published
Title
Published
2019-10-31
Title
YIT Plugin Framework < 3.3.13 - Subscriber+ Settings Update
Published
2026-01-07
Title
Dashboard Welcome for Beaver Builder <= 1.0.8 - Missing Authorization
Published
2026-02-11
Title
FullCalendar <= 1.6 - Missing Authorization
Published
2025-08-21
Title
Kalium < 3.19 - Missing Authorization
Published
2025-08-15
Title
School Management <= 93.2.0 - Missing Authorization