Stored Cross- Site Scripting Vulnerability in Stars Testimonials Plugin
CVE-2024-8989
6.4MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 1 October 2024
Summary
The Free Responsive Testimonials plugin for WordPress is subject to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping on user-supplied attributes through the stars_testimonials shortcode. This flaw impacts all versions leading up to and including 3.3.1. Authenticated users with contributor-level access can exploit this vulnerability, allowing them to inject arbitrary web scripts into pages. When these pages are accessed by other users, the injected scripts execute, potentially compromising user data and site integrity.
Affected Version(s)
Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials * <= 3.3.1
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Thaleikis