CVE-2024-13704 in Super Testimonials Plugininfo

Summary

by MITRE • 02/18/2025

The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/08/2026

The Super Testimonials plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2024-13704 affecting versions through 4.0.1. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the 'st_user_title' parameter. The flaw allows unauthenticated attackers to inject malicious web scripts into the plugin's testimonial submission process, creating a persistent security risk that can affect any user who accesses pages containing the injected content.

The technical implementation of this vulnerability occurs when the plugin fails to properly sanitize user input before storing it in the database and subsequently rendering it on web pages. When the 'st_user_title' parameter receives malicious input containing script tags or other executable code, the plugin stores this content without adequate filtering or encoding. The vulnerability operates at the application layer and represents a classic stored XSS flaw that falls under CWE-79, which specifically addresses cross-site scripting vulnerabilities arising from insufficient input validation and output escaping.

The operational impact of CVE-2024-13704 extends beyond simple script execution as it provides attackers with a persistent vector for various malicious activities. Once an attacker successfully injects malicious code through the vulnerable parameter, any user who accesses pages displaying the compromised testimonials will execute the injected scripts in their browser context. This creates opportunities for session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The vulnerability affects all users of the affected plugin versions regardless of their authentication status, making it particularly dangerous in multi-user environments where administrators might inadvertently view compromised testimonial content.

Security practitioners should consider this vulnerability in relation to the ATT&CK framework's T1566 technique for initial access through malicious content, as the stored XSS can serve as a delivery mechanism for more sophisticated attacks. The vulnerability also aligns with T1059 for command and control through script execution, as injected scripts can establish communication channels with attacker-controlled servers. Organizations using the Super Testimonials plugin should immediately implement mitigations including input validation at the plugin level, output encoding of all user-provided content, and consideration of temporary workarounds such as disabling the affected functionality until a patched version becomes available.

The remediation approach should prioritize immediate plugin updates to versions that address the input sanitization deficiencies, while also implementing additional defensive measures such as web application firewalls that can detect and block malicious script patterns. Security monitoring should include regular checks for unauthorized modifications to testimonial content and implementation of proper content security policies to limit the execution of embedded scripts. Organizations should also conduct comprehensive vulnerability assessments to identify other plugins or components that might exhibit similar sanitization weaknesses, as this represents a broader pattern of insufficient input validation that could affect multiple areas of the WordPress ecosystem.

Responsible

Wordfence

Reservation

01/24/2025

Disclosure

02/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00322

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!