Threat Entry Updated 2026-04-08

CVE-2026-3239 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Strong Testimonials

CVE-2026-3239

MEDIUM CVSS 6.4 2026-04-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-31

CVE-2025-14426 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

PLUGIN Strong Testimonials

CVE-2025-14426

MEDIUM CVSS 4.3 2025-12-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-06

CVE-2025-11268 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

PLUGIN Strong Testimonials

CVE-2025-11268

MEDIUM CVSS 4.3 2025-11-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-15

CVE-2025-7367 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Strong Testimonials

CVE-2025-7367

MEDIUM CVSS 6.4 2025-07-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6491 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.

PLUGIN Strong Testimonials

CVE-2023-6491

MEDIUM CVSS 4.3 2024-06-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-3261 - Strong Testimonials Plugin

The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed

PLUGIN Strong Testimonials

CVE-2024-3261

MEDIUM CVSS 4.8 2024-04-24

Risk Score

Open Full Technical Breakdown