Strong Testimonials

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

Basic Information

ID CVE-2025-11268

Source Wordfence

Published Nov 6, 2025 at 08:26

Affected Product

Vendor wpchill

Product Strong Testimonials

Version *

Affected Versions wpchill Strong Testimonials *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.",
    "published": "2025-11-06T08:26:27.860Z",
    "modified": "2025-11-06T08:26:27.860Z",
    "type": "cve",
    "title": "Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials",
    "id": "CVE-2025-11268",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "wpchill Strong Testimonials *",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Strong Testimonials",
    "version": "*",
    "vendor": "wpchill",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution_CVE-2025-11268