CVE-2025-11268 MEDIUM

CVE-2025-11268: Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution

Vendor Wpchill
Product Strong Testimonials
Weakness CWE-79 · XSS
Published November 6, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

Explanation of Vulnerability in Simple Terms

02Summary

Strong Testimonials versions 3.2.16 and earlier contain a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts into testimonial content that execute in the browsers of site visitors. The vulnerability requires user interaction—a victim must view a page containing the malicious testimonial. This can be used to steal session cookies, redirect users, or deface content.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in visitors' browsers when they view testimonials.

Potential impact on your site

04Site Impact

Visitor sessions and data at risk; site reputation damage if malicious content is displayed.

Conditions required to exploit

05Prerequisites

No authentication required. A victim must view a page containing the injected testimonial.

Key dates

06Disclosure timeline

November 6, 2025 CVE published
April 8, 2026 Record updated