Strong Testimonials < 3.2.17 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-11268 | Plugin Vulnerabilities

Description

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

Affects Plugins

strong-testimonials

Fixed in 3.2.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Kishan Vyas

Verified

No

WPVDB ID

f4ba8da9-73dd-4c0d-b172-2ace9ed9d06f

Timeline

Publicly Published

2025-11-05 (about 6 months ago)

Added

2025-11-05 (about 6 months ago)

Last Updated

2025-11-06 (about 6 months ago)

Other

Published

Title

Published

2025-02-02

Title

User Role <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2014-08-01

Title

MailUp 1.3.2 - ajax.functions.php Ajax Function Call H&ling XSS Weakness

Published

2019-09-05

Title

API Bearer Auth < 20190908 - Unauthenticated Reflected XSS

Published

2025-09-08

Title

Postie < 1.9.71 - Admin+ Stored XSS

Published

2025-11-12

Title

Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode