{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-06T08:45:37.876Z", "datePublished": "2025-10-25T05:31:19.307Z", "dateUpdated": "2026-04-08T16:40:59.413Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:59.413Z"}, "affected": [{"vendor": "uapp", "product": "Testimonial Carousel For Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "11.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions less than, or equal to, 11.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Testimonial Carousel For Elementor <= 11.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f5c3b2c-1ed2-47e1-8e39-cbe6f2973d15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/section-with-carousel/class-section-with-cube.php#L1167"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1425"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1443"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-cube.php#L913"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/testimonials-carousel/class-testimonialscarousel-blog.php#L1192"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-07-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-24T17:10:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:47:51.767571Z", "id": "CVE-2025-8666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:48:15.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:47:51.767571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:48:11.407Z"}}], "cna": {"title": "Testimonial Carousel For Elementor <= 11.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "uapp", "product": "Testimonial Carousel For Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "11.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-24T17:10:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f5c3b2c-1ed2-47e1-8e39-cbe6f2973d15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/section-with-carousel/class-section-with-cube.php#L1167"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1425"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1443"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-cube.php#L913"}, {"url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/testimonials-carousel/class-testimonialscarousel-blog.php#L1192"}], "descriptions": [{"lang": "en", "value": "The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions less than, or equal to, 11.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-25T05:31:19.307Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8666", "state": "PUBLISHED", "dateUpdated": "2025-10-27T15:48:15.392Z", "dateReserved": "2025-08-06T08:45:37.876Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:19.307Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions less than, or equal to, 11.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8666", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:37.220", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1425"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-coverflow.php#L1443"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/animated-carousel/class-testimonialscarousel-cube.php#L913"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/section-with-carousel/class-section-with-cube.php#L1167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/testimonials-carousel-elementor/tags/11.6.2/widgets/testimonials-carousel/class-testimonialscarousel-blog.php#L1192"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f5c3b2c-1ed2-47e1-8e39-cbe6f2973d15?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:01:53.384343+00:00", "value": {"mitigation_remediation": ["Upgrade the Testimonial Carousel for Elementor plugin to the latest version that implements proper input sanitization and output escaping, i.e., any release newer than 11.6.2.", "If an upgrade is not available, fully deactivate or uninstall the plugin from all production environments to eliminate the stored XSS surface.", "Restrict contributor\u2011level access or revoke the ability to edit widget parameters that store user input; only administrators should have this capability until a patch is applied.", "Optionally enforce a site\u2011wide content filter or application\u2011layer firewall rule to strip JavaScript from the affected widget fields, providing an additional containment layer."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Testimonial Carousel for Elementor plugin installed at version 11.6.2 or earlier are affected. The plugin is distributed by uapp and the vulnerability applies to all widgets that accept input fields shown in the code references. Site administrators should verify that no older versions are active and note that only users with contributor-level or administrative roles can exploit the issue.", "description_and_impact": "The Testimonial Carousel for Elementor plugin contains a stored cross\u2011site scripting flaw that permits authenticated users with contributor or higher privileges to inject arbitrary JavaScript into widget parameters. The flaw arises from insufficient sanitization and output escaping, causing the plugin to persist malicious scripts in the database and render them when a page containing the widget is accessed. An attacker could use the injected script to deface the site, steal user session cookies, or execute other malicious payloads in the browser context of legitimate visitors. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 classifies this vulnerability as medium, and the EPSS score of less than 1% indicates a low expected exploitation rate. The flaw is not listed in the CISA KEV catalog, further suggesting limited known activity. Exploitation requires authenticated contributor access, so attackers must first compromise a user account or obtain credentials. Once the account is available, the attacker can submit malicious widget content that is stored and executed for any subsequent visitor to the affected page."}}}}, "created": "2025-10-27T22:10:17.043887+00:00", "updated": "2026-04-22T14:15:20.395447+00:00", "vendors": ["uapp", "uapp$PRODUCT$testimonial_carousel_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}