WordPress Plugin Vulnerabilities

GS Testimonial Slider < 1.9.7 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
gs-testimonial
Fixed in 1.9.7

References

CVE
CVE-2022-40213

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
b43c2819-a93d-411b-85f4-6191b41d9145

Timeline

Publicly Published
2022-09-14 (about 3 years ago)
Added
2022-09-24 (about 3 years ago)
Last Updated
2022-09-24 (about 3 years ago)

Other

Published
Title
Published
2026-04-16
Title
VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field
Published
2025-07-07
Title
Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting
Published
2023-08-28
Title
Sitekit < 1.5 - Contributor+ Stored XSS
Published
2026-02-10
Title
WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter
Published
2026-01-16
Title
CubeWP < 1.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode