WordPress Plugin Vulnerabilities

Testimonial Rotator < 3.0.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

A Stored XSS vulnerability has been found in the 'Author Information' textarea in testimonials from the plugin, which could allow an authenticated medium-privileged user (contributor+) to inject arbitrary JavaScript. The XSS will be triggered for anyone visiting public posts or testimonial page listing in the backend.

The filter work by javascript, thus if user intercepts request and insert payload in "cite" parameter, the payload will be stored in the database.

Edit (WPScanTeam):
May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11st, 2020 - WP Plugins Team Investigating
June 16th, 2020 - v3.0.3 released, fixing the issue.

Proof of Concept

Affects Plugins

Plugin icon
testimonial-rotator
Fixed in 3.0.3

References

CVE
CVE-2020-26672

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Vu Dong - SunSCR
Submitter
Vu Dong - SunSCR
Verified
Yes
WPVDB ID
faaa56b2-20a8-417a-aff7-1cb1d8851fc1

Timeline

Publicly Published
2020-06-17 (about 5 years ago)
Added
2020-06-17 (about 5 years ago)
Last Updated
2021-02-18 (about 5 years ago)

Other

Published
Title
Published
2024-02-06
Title
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) < 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-01-08
Title
Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
Published
2021-10-14
Title
WpGenius Job Listing <= 1.0.2 - Admin+ Stored Cross-Site Scripting
Published
2025-03-21
Title
Multi Video Box <= 1.5.2 - Reflected Cross-Site Scripting via video_id and group_id Parameters
Published
2025-04-25
Title
Kali Forms < 2.4.3 - Contributor+ Stored XSS