What the vulnerability does
01Description
The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.
Explanation of Vulnerability in Simple Terms
02Summary
Strong Testimonials versions 3.2.16 and earlier contain a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts into testimonial content that execute in the browsers of site visitors. The vulnerability requires user interaction—a victim must view a page containing the malicious testimonial. This can be used to steal session cookies, redirect users, or deface content.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers when they view testimonials.
Potential impact on your site
04Site Impact
Visitor sessions and data at risk; site reputation damage if malicious content is displayed.
Conditions required to exploit
05Prerequisites
No authentication required. A victim must view a page containing the injected testimonial.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 8, 2026
Record updated