{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11268", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-03T19:03:57.976Z", "datePublished": "2025-11-06T08:26:27.860Z", "dateUpdated": "2026-04-08T17:23:38.359Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:38.359Z"}, "affected": [{"vendor": "wpchill", "product": "Strong Testimonials", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial."}], "title": "Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-11-05T19:34:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T14:30:08.446366Z", "id": "CVE-2025-11268", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:46:59.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T14:30:08.446366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:44:47.081Z"}}], "cna": {"title": "Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Strong Testimonials", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T19:34:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials"}], "descriptions": [{"lang": "en", "value": "The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:38.359Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11268", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:38.359Z", "dateReserved": "2025-10-03T19:03:57.976Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T08:26:27.860Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial."}], "id": "CVE-2025-11268", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-06T09:15:33.197", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:36:37.574414+00:00", "value": {"mitigation_remediation": ["Update the Strong Testimonials plugin to the latest available version, removing the input validation issue.", "Audit and clean existing testimonials to remove any stored shortcodes or malicious content.", "If possible, temporarily disable testimonial submissions or restrict the allowed shortcode list until an update is applied."], "summary": {"action": "Update Plugin", "impact": "Unauthenticated Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "All users of the WordPress \u201cStrong Testimonials\u201d plugin version 3.2.16 or older are affected. This includes any site that has installed the plugin and has not yet upgraded to a later version. Site administrators who allow testimonial submissions could be impacted when an attacker submits a crafted testimonial.", "description_and_impact": "The plugin is vulnerable to arbitrary shortcode execution in all versions up to and including 3.2.16 due to lack of validation when a testimonial value is passed to do_shortcode. This flaw allows an unauthenticated attacker to craft a testimonial that triggers the execution of any shortcode during the preview or publish process. The vulnerability is tied to CWE\u201179 and can lead to unexpected behavior or code execution if the attacker supplies a malicious shortcode.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of <1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely HTTP through the testimonial submission form; an attacker only needs to submit a malicious testimonial and does not require authenticated access. If the shortcode processor evaluates code, this could enable arbitrary execution."}}}}, "created": "2025-11-06T20:19:29.352021+00:00", "updated": "2026-04-21T18:45:06.077572+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$strong_testimonials"]}