CVE-2025-11268

Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution

CVSS 4.3 MEDIUMEPSS 0.2%CWE-79

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

wpchill · Strong Testimonials

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve