CVE-2025-14426
Unknown Unknown - Not Provided
Unauthorized Data Modification in Strong Testimonials WordPress Plugin

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: Wordfence

Description
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14426
EUVD
EUVD-2025-205774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress strong_testimonials *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Strong Testimonials WordPress plugin allows authenticated users with Contributor-level access or higher to modify or delete the rating meta on any testimonial post, including those created by other users. This happens because the plugin's 'edit_rating' function lacks a proper capability check, enabling unauthorized modification by reusing a valid nonce obtained from their own testimonial edit screen. The issue was fixed in version 3.2.19 by adding permission checks and nonce verification to prevent unauthorized edits. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing users with limited access (Contributor-level and above) to alter or delete ratings on testimonial posts they do not own. This unauthorized modification can lead to data integrity issues, manipulation of testimonial ratings, and potential misuse of the testimonial system, undermining trust and the reliability of displayed testimonials on your WordPress site. [2]

Detection Guidance

To detect this vulnerability, you can check the version of the Strong Testimonials plugin installed on your WordPress site. Versions up to and including 3.2.18 are vulnerable. You can do this by running a WP-CLI command to list plugin versions, for example: `wp plugin list --format=json | jq '.[] | select(.name=="strong-testimonials") | .version'`. Additionally, monitoring AJAX requests to the endpoint handling 'wp_ajax_wpmtst_edit_rating' for unauthorized edits or unusual activity could indicate exploitation attempts. However, no specific detection commands are provided in the resources. [2, 3]

Mitigation Strategies

The immediate mitigation step is to update the Strong Testimonials plugin to version 3.2.19 or later, as this version includes the security fix that adds proper permission checks and nonce verification to prevent unauthorized edits. If updating immediately is not possible, restrict Contributor-level users from accessing testimonial editing functionality or disable the plugin temporarily until the update can be applied. [2]

Compliance Impact

The vulnerability allows authenticated users with Contributor-level access and above to modify or delete rating data on testimonial posts created by other users without proper authorization. This unauthorized modification of data could lead to integrity issues and potential misuse of personal or testimonial information, which may impact compliance with data protection standards such as GDPR or HIPAA that require proper access controls and data integrity safeguards. However, specific compliance impacts are not detailed in the provided resources. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14426. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart