CVE-2025-7367 in Strong Testimonials Plugin
Summary
by MITRE • 07/15/2025
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2025
The Strong Testimonials plugin for WordPress represents a significant security vulnerability classified as CVE-2025-7367, which affects all versions up to and including 3.2.11. This vulnerability manifests as a stored cross-site scripting flaw that specifically targets the plugin's Testimonial Custom Fields functionality. The flaw occurs when authenticated attackers with Author-level permissions or higher exploit insufficient input sanitization and output escaping mechanisms within the plugin's codebase. The vulnerability's severity stems from its ability to persist malicious scripts within the plugin's data storage, making it particularly dangerous as the injected code remains active until manually removed by administrators. This stored XSS vulnerability creates a persistent threat vector that can compromise user sessions and execute unauthorized actions against unsuspecting visitors.
The technical exploitation of this vulnerability follows a well-established pattern within the stored XSS attack category, which is categorized under CWE-79 in the Common Weakness Enumeration system. Attackers with Author-level access can leverage this flaw by crafting malicious script payloads within the testimonial custom fields, which are then stored in the WordPress database. When other users access pages containing these compromised testimonials, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The vulnerability's impact extends beyond simple script execution as it can be combined with other attack vectors to create more sophisticated threats. The ATT&CK framework categorizes this vulnerability under the T1059.001 technique for Command and Scripting Interpreter, specifically focusing on the use of JavaScript for code execution within web browsers.
The operational impact of CVE-2025-7367 creates substantial risks for WordPress sites utilizing the Strong Testimonials plugin, particularly those with multiple authors or contributors who may inadvertently provide attackers with elevated privileges. The vulnerability's persistence means that once exploited, malicious scripts remain active until manually removed from the database, potentially affecting thousands of users over extended periods. Organizations may experience reputational damage, data breaches, and compliance violations if attackers successfully exploit this vulnerability to steal user credentials or redirect visitors to phishing sites. The attack surface expands significantly when considering that testimonial sections are often prominently displayed on websites, making the malicious scripts highly visible and potentially effective for social engineering attacks. Furthermore, the vulnerability's presence in all versions up to 3.2.11 indicates a long-standing flaw that may have gone undetected for extended periods, increasing the potential for widespread compromise across multiple installations.
Mitigation strategies for CVE-2025-7367 require immediate action from affected organizations, including the urgent upgrade to the latest available version of the Strong Testimonials plugin where the vulnerability has been addressed. System administrators should implement immediate input validation and output escaping measures to prevent further exploitation while awaiting official patches, though the most effective solution involves updating to version 3.2.12 or later where the XSS vulnerabilities have been resolved. Additional protective measures include restricting user permissions to minimize the attack surface, implementing content security policies to prevent script execution, and monitoring for suspicious activity within the testimonials section. The vulnerability serves as a reminder of the critical importance of regular security updates and proper input sanitization practices in web application development, particularly for plugins that handle user-generated content. Organizations should also consider implementing web application firewalls and regular security audits to identify similar vulnerabilities before they can be exploited by malicious actors.