2024-11-20
This blog post details a vulnerability (CVE-2024-4705) in the Testimonials Widget plugin for WordPress.
Vulnerability
Platform: WordPress Testimonials Widget Plugin
Version: Up to and including 4.0.4
Vulnerability: Stored Cross-Site Scripting (XSS)
Severity: Unlisted (CVSS score not provided)
Date: June 5, 2024 (Published by NIST)
The vulnerability exists due to insufficient input sanitization and output escaping of user-supplied data within the plugin’s testimonials shortcode. This allows attackers with contributor-level access or higher to inject malicious scripts into website pages. When a user visits such a page, the injected script will execute.
What Undercode Says:
This vulnerability can be serious, allowing attackers to inject malicious code that could steal user data, redirect users to phishing sites, or deface the website. We recommend updating the Testimonials Widget plugin to the latest version (if available) or removing the plugin if not actively used.
Please note: This information is for general awareness purposes only. It is recommended to consult with a security professional for specific guidance on mitigating this vulnerability.
References:
Reported By: Nvd.nist.gov
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help