Stored Cross-Site Scripting Vulnerability in Quick Testimonials Plugin for WordPress
CVE-2025-14378

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Quick Testimonials
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-14378?

The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in its admin settings. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts. The malicious scripts will execute whenever a user accesses the compromised pages. This issue is particularly concerning in multi-site installations or environments where unfiltered_html is disabled, posing a significant security risk to user data and website integrity.

Affected Version(s)

Quick Testimonials * <= 2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/quick-testimonials/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Dec 9, 2025

Credit

Jochem Boender

JSON