Stored Cross-Site Scripting Vulnerability in WH Testimonials Plugin for WordPress
CVE-2023-1372

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WH Testimonials
Vendor: CVE Published:; 13 March 2023

Summary

The WH Testimonials plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping. Attackers can exploit this weakness by injecting malicious scripts into various parameters, including wh_homepage, wh_text_short, and wh_text_full. Once a user accesses a compromised page, the injected scripts execute, potentially leading to unauthorized actions or data theft. This vulnerability affects all versions of the plugin up to and including 3.0.0.

Affected Version(s)

WH Testimonials * <= 3.0.0

WH Testimonials 3.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://danielkelley.me/wh-testimonials-reflected-xss-vul...

https://plugins.trac.wordpress.org/browser/wh-testimonial...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 13, 2023
Vulnerability Reserved
Mar 13, 2023

Credit

Daniel Kelley