CVE-2025-11268

Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution

CVSS 4.3 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

06 nov 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Produtos afetados

wpchill · Strong Testimonials

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://plugins.trac.wordpress.org/changeset/3381902/strong-testimonials https://www.wordfence.com/threat-intel/vulnerabilities/id/cbdfe58e-1e09-41b6-8ac9-6976c27aa58d?source=cve