CVE-2025-14426
Unauthorized Data Modification in Strong Testimonials WordPress Plugin
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | strong_testimonials | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Strong Testimonials WordPress plugin allows authenticated users with Contributor-level access or higher to modify or delete the rating meta on any testimonial post, including those created by other users. This happens because the plugin's 'edit_rating' function lacks a proper capability check, enabling unauthorized modification by reusing a valid nonce obtained from their own testimonial edit screen. The issue was fixed in version 3.2.19 by adding permission checks and nonce verification to prevent unauthorized edits. [2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with limited access (Contributor-level and above) to alter or delete ratings on testimonial posts they do not own. This unauthorized modification can lead to data integrity issues, manipulation of testimonial ratings, and potential misuse of the testimonial system, undermining trust and the reliability of displayed testimonials on your WordPress site. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can check the version of the Strong Testimonials plugin installed on your WordPress site. Versions up to and including 3.2.18 are vulnerable. You can do this by running a WP-CLI command to list plugin versions, for example: `wp plugin list --format=json | jq '.[] | select(.name=="strong-testimonials") | .version'`. Additionally, monitoring AJAX requests to the endpoint handling 'wp_ajax_wpmtst_edit_rating' for unauthorized edits or unusual activity could indicate exploitation attempts. However, no specific detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Strong Testimonials plugin to version 3.2.19 or later, as this version includes the security fix that adds proper permission checks and nonce verification to prevent unauthorized edits. If updating immediately is not possible, restrict Contributor-level users from accessing testimonial editing functionality or disable the plugin temporarily until the update can be applied. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Contributor-level access and above to modify or delete rating data on testimonial posts created by other users without proper authorization. This unauthorized modification of data could lead to integrity issues and potential misuse of personal or testimonial information, which may impact compliance with data protection standards such as GDPR or HIPAA that require proper access controls and data integrity safeguards. However, specific compliance impacts are not detailed in the provided resources. [2, 3]