CVE-2024-3261 Strong Testimonials < 3.1.12 - Contributor+ Stored XSS

2024-04-2405:00:03

WPScan

github.com

cve-2024-3261; stored xss; contributor+; wordpress plugin; cross-site scripting; testimonial fields; page/post; security vulnerability; specific view

AI Score

5.6

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:wpchill:strong_testimonials:*:*:*:*:*:wordpress:*:*"
    ],
    "vendor": "wpchill",
    "product": "strong_testimonials",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.1.12",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]