Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS. This issue affects TC Testimonials: from n/a through 1.1.1.
The vulnerability results from improper neutralization of input data during web page generation (CWE-79). An attacker can inject malicious JavaScript code into fields supported by the plugin, which is then permanently stored in the database. Each time the infected page is displayed, the malicious script is executed in the victim's browser without their knowledge.
An attacker can hijack sessions of logged-in users (including administrators), perform actions on their behalf, steal authentication credentials, or introduce unauthorized modifications to the website. Due to the changed scope (S:C), the impact may extend beyond the application itself.
The TC Testimonials plugin should be updated to a version higher than 1.1.1. Detailed information about available patches can be found in the vendor references and in the Patchstack database.
WordPress TC Testimonials plugin by Imran Emu, versions from the beginning up to and including 1.1.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H