{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24957", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:35.464Z", "datePublished": "2026-02-03T14:08:34.412Z", "dateUpdated": "2026-04-28T16:14:51.903Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "strong-testimonials", "product": "Strong Testimonials", "vendor": "WP Chill", "versions": [{"changes": [{"at": "3.2.21", "status": "unaffected"}], "lessThanOrEqual": "3.2.20", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:56.946Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Strong Testimonials: from n/a through <= 3.2.20.</p>"}], "value": "Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through <= 3.2.20."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.903Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Strong Testimonials plugin <= 3.2.20 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T17:08:49.655207Z", "id": "CVE-2026-24957", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:51:06.235Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T17:08:49.655207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T17:08:29.735Z"}}], "cna": {"title": "WordPress Strong Testimonials plugin <= 3.2.20 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WP Chill", "product": "Strong Testimonials", "versions": [{"status": "affected", "changes": [{"at": "3.2.21", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.2.20"}], "packageName": "strong-testimonials", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-02T15:56:52.838Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through <= 3.2.20.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Strong Testimonials: from n/a through <= 3.2.20.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-03T14:08:34.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24957", "state": "PUBLISHED", "dateUpdated": "2026-02-03T17:08:55.166Z", "dateReserved": "2026-01-28T09:50:35.464Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:34.412Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through <= 3.2.20."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en WP Chill Strong Testimonials strong-testimonials permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Strong Testimonials: desde n/a hasta &lt;= 3.2.20."}], "id": "CVE-2026-24957", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:16.423", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:04:21.287302+00:00", "value": {"mitigation_remediation": ["Upgrade the Strong Testimonials plugin to a version newer than 3.2.20, such as 3.2.21 or later, which removes the missing authorization check.", "Verify that the plugin\u2019s access\u2011control settings are correctly configured and that only authorized roles can manage testimonials.", "If upgrading is not immediately possible, restrict external access to the plugin\u2019s administrative URLs by implementing WordPress role restrictions or a web application firewall rule that blocks unauthenticated or low\u2011privilege requests to the affected endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the WP\u202fChill Strong Testimonials WordPress plugin through version\u202f3.2.20 and earlier. All installations that have not upgraded past this version remain vulnerable. The vulnerability is tied to the plugin\u2019s access\u2011control configuration, so systems running any of these versions without adequate safeguards are at risk.", "description_and_impact": "A missing authorization check in the WordPress Strong Testimonials plugin allows attackers to bypass intended access controls. The vulnerability, classified as CWE\u2011862, could enable an attacker with any level of web access to use plugin endpoints that should be restricted. This could let them read, create, edit, or delete testimonials or otherwise manipulate data stored by the plugin, compromising data integrity and confidentiality. Without proper privilege checks, even users with limited permissions might gain full control over the plugin's functions.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild, and the issue is not referenced in the CISA Known Exploited Vulnerabilities catalog. The attack vector is not explicitly detailed, but the description implies that exploiting the flaw would involve interacting with the plugin\u2019s administrative interfaces, typically through web requests. While the exact prerequisites are unclear, it is reasonable to infer that some level of authenticated access may be required, or that the vulnerability could be leveraged by a malicious actor who can send crafted requests to the plugin\u2019s endpoints."}}}}, "created": "2026-02-04T12:14:37.703500+00:00", "updated": "2026-04-16T07:15:28.168387+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$strong_testimonials"]}