{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14378", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T19:04:20.586Z", "datePublished": "2025-12-13T04:31:21.768Z", "dateUpdated": "2026-04-08T16:37:45.643Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:45.643Z"}, "affected": [{"vendor": "themeregion", "product": "Quick Testimonials", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Quick Testimonials <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1907308f-a722-48ce-8da4-a6c21ee29575?source=cve"}, {"url": "https://wordpress.org/plugins/quick-testimonials/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jochem Boender"}], "timeline": [{"time": "2025-12-12T16:10:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:42.531969Z", "id": "CVE-2025-14378", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:48:28.382Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14378", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:42.531969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:43.537Z"}}], "cna": {"title": "Quick Testimonials <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jochem Boender"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themeregion", "product": "Quick Testimonials", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:10:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1907308f-a722-48ce-8da4-a6c21ee29575?source=cve"}, {"url": "https://wordpress.org/plugins/quick-testimonials/"}], "descriptions": [{"lang": "en", "value": "The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:45.643Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14378", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:45.643Z", "dateReserved": "2025-12-09T19:04:20.586Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:21.768Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-14378", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:48.950", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/quick-testimonials/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1907308f-a722-48ce-8da4-a6c21ee29575?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:33:16.185388+00:00", "value": {"mitigation_remediation": ["Upgrade Quick Testimonials to a release newer than 2.1, which removes the unescaped admin input vulnerability.", "Restrict administrator privileges to trusted users and disable the unfiltered_html capability on all sites in the network to limit the attack surface for injected scripts.", "Implement a web application firewall or security plugin rule that blocks JavaScript injection in plugin configuration fields to detect and prevent malicious input."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via administrator settings in Quick Testimonials"}, "threat_synthesis": {"affected_systems": "All releases of the Quick Testimonials plugin from the vendor themeregion up to and including version 2.1 are affected. The flaw is limited to multi\u2011site WordPress installations where the unfiltered_html capability has been disabled, a common security configuration for shared hosting environments. Any administrator or higher\u2011privileged user on any site within the network can configure the vulnerable fields and set the injected payload.", "description_and_impact": "The Quick Testimonials plugin for WordPress allows administrators to configure testimonial settings that are stored without proper sanitization or escaping, creating a stored cross\u2011site scripting flaw. An attacker with administrator\u2011level credentials can inject arbitrary JavaScript that is rendered whenever a site visitor loads a page containing the testimonial. This code executes in the context of the site and can lead to cookie theft, session hijacking, defacement, or further client\u2011side attacks. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS v3.1 score of 4.4 places the issue in the low severity range, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, further reducing immediate threat. However, because exploitation requires authenticated administrator access, the impact scales with the trust level and number of such accounts. If an attacker gains those credentials, the injected script can affect all visitors to affected pages, potentially compromising user data and damaging site reputation. The attack path requires only standard WordPress administrative access, which can be achieved remotely via legitimate credentials or credential compromise."}}}}, "created": "2025-12-14T21:14:57.612774+00:00", "updated": "2026-04-22T20:45:27.081202+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}