Strong Testimonials < 3.2.19 – Missing Authorization to Authenticated (Contributor+) Rating Meta Update | CVE 2025-14426 | Plugin Vulnerabilities

Description

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

Affects Plugins

strong-testimonials

Fixed in 3.2.19

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c83f48dd-9070-412d-b911-98581a81e29a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

cf4bae4a-e23c-444b-bd0c-93e169012c63

Timeline

Publicly Published

2025-12-29 (about 4 months ago)

Added

2025-12-30 (about 4 months ago)

Last Updated

2025-12-30 (about 4 months ago)

Other

Published

Title

Published

2026-01-16

Title

Element Invader – Template Kits for Elementor < 1.2.5 - Missing Authorization

Published

2026-03-04

Title

Media Library Assistant < 3.34 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Taxonomy Modification

Published

2024-12-06

Title

Simple Notification <= 1.3 - Missing Authorization

Published

2025-12-23

Title

Brave < 0.8.4 - Missing Authorization

Published

2025-03-03

Title

Animation Addons for Elementor Pro < 1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation