CVE-2024-4705 in Testimonials Widget Plugin
Summary
by MITRE • 06/06/2024
The Testimonials Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonials shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/26/2025
The Testimonials Widget plugin for WordPress represents a widely used component for displaying customer reviews and feedback on websites, yet it harbors a critical security vulnerability that undermines the integrity of WordPress installations. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's testimonials shortcode functionality, affecting all versions through 4.0.4, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's shortcode processing code. When administrators or contributors create testimonials using the plugin's interface, the user-supplied attributes containing HTML content are not properly validated or escaped before being stored in the database and subsequently rendered on web pages. This failure to implement proper sanitization techniques allows attackers to inject malicious script code that persists in the database and executes whenever the affected shortcode is processed and displayed to users.
The operational impact of this vulnerability extends beyond simple script injection, as it provides authenticated attackers with a persistent foothold within WordPress installations. Attackers with contributor-level access or higher can leverage this vulnerability to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further compromise of the WordPress environment. The stored nature of the vulnerability means that once injected, malicious code remains active until manually removed from the database, creating a long-term threat that can affect all users who access pages containing the compromised testimonials.
This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and represents a classic example of how insufficient input validation can create persistent security weaknesses. The attack vector follows ATT&CK technique T1548.002 for privilege escalation through credential access, as attackers can leverage their contributor-level access to inject malicious code that can then compromise other users. Organizations should immediately update to the latest plugin version where this vulnerability has been addressed, implement proper input validation measures, and consider additional security monitoring to detect unauthorized changes to testimonials or other user-generated content. The vulnerability demonstrates the critical importance of proper sanitization and escaping mechanisms in web applications, particularly when handling user-supplied content that will be rendered in web browsers.