CVE-2025-11268
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strong_testimonials | strong_testimonials | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Strong Testimonials plugin for WordPress (up to version 3.2.16) and allows unauthenticated attackers to execute arbitrary shortcodes. This happens because the plugin does not properly validate or sanitize user-submitted testimonial values before passing them to a do_shortcode function. If an administrator previews or publishes a crafted testimonial containing malicious shortcode, the arbitrary shortcode will be executed.
How can this vulnerability impact me? :
The vulnerability can allow an unauthenticated attacker to execute arbitrary shortcodes when an administrator previews or publishes a malicious testimonial. This could lead to limited impact such as low integrity issues within the WordPress site, potentially allowing attackers to manipulate content or perform actions via shortcode execution. However, it does not directly impact confidentiality or availability.