CVE-2025-7367
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | strong_testimonials | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Strong Testimonials WordPress plugin (up to version 3.2.11) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize and escape input in the Testimonial Custom Fields. This allows authenticated users with Author-level access or higher to inject malicious scripts into testimonial pages. These scripts then execute whenever any user views the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Author-level access to inject arbitrary web scripts that execute in the browsers of users who view the injected testimonial pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the attack is stored, the malicious script persists and affects all users accessing the compromised content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Strong Testimonials WordPress plugin is installed and running a version up to and including 3.2.11. Since the vulnerability involves Stored Cross-Site Scripting via Testimonial Custom Fields, detection can involve reviewing testimonial content for suspicious or unexpected scripts. There are no specific network commands provided in the resources. However, you can use WordPress CLI commands to check the plugin version, for example: `wp plugin list --status=active` to list active plugins and their versions. Additionally, scanning the database testimonial custom fields for suspicious script tags or payloads can help detect exploitation. No direct commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Strong Testimonials plugin to a version later than 3.2.11 where the vulnerability is fixed. If an update is not immediately possible, restrict Author-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with Author-level access or above to exploit. Additionally, review and sanitize testimonial custom fields to remove any injected scripts. Applying web application firewall (WAF) rules to block suspicious script injections in testimonial fields can also help mitigate risk. [1]