The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 21 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Themepoints
Themepoints super Testimonials
Weaknesses CWE-79
CPEs cpe:2.3:a:themepoints:super_testimonials:*:*:*:*:*:wordpress:*:*
Vendors & Products Themepoints
Themepoints super Testimonials

Tue, 18 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 18 Feb 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Super Testimonials <= 4.0.1 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-02-18T15:47:54.786Z

Reserved: 2025-01-24T14:22:24.945Z

Link: CVE-2024-13704

cve-icon Vulnrichment

Updated: 2025-02-18T15:47:50.397Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-18T08:15:09.820

Modified: 2025-02-21T15:34:38.797

Link: CVE-2024-13704

cve-icon Redhat

No data.