What the vulnerability does
01Description
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
Explanation of Vulnerability in Simple Terms
02Summary
Strong Testimonials through version 3.2.18 does not properly check user permissions before allowing modifications to testimonial data. A logged-in user with low privileges can alter testimonials they should not have access to. The vulnerability requires an active WordPress account but no special role or capability.
What an attacker can do
03Attacker Capabilities
Modify testimonials belonging to other users or bypass intended access restrictions.
Potential impact on your site
04Site Impact
Testimonials can be altered or deleted by unauthorized users, compromising content integrity and user trust.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
December 30, 2025
CVE published
April 8, 2026
Record updated