CVE-2025-14379: WordPress Testimonials Creator XSS Flaw

CVE-2025-14379 Overview

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with administrator-level permissions or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.

Critical Impact

Authenticated administrators can inject persistent malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further compromise of the WordPress installation.

Affected Products

• WordPress Testimonials Creator plugin version 1.6
• WordPress Multi-site installations with the plugin enabled
• WordPress installations where unfiltered_html capability has been disabled

Discovery Timeline

• 2026-01-14 - CVE CVE-2025-14379 published to NVD
• 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-14379

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists within the administrative settings interface of the Testimonials Creator plugin. The core issue stems from the plugin's failure to properly sanitize user-supplied input and escape output when rendering admin settings values. When an authenticated administrator saves settings containing malicious JavaScript payloads, these scripts are stored in the database and subsequently rendered without proper encoding.

The vulnerability specifically impacts WordPress Multi-site installations and single-site installations where the unfiltered_html capability has been explicitly disabled. In standard WordPress configurations, administrators typically have the unfiltered_html capability which already allows them to post unfiltered HTML content. However, in hardened environments or multi-site setups where this capability is removed for security reasons, this vulnerability provides a bypass mechanism.

Root Cause

The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to implement proper input validation and output encoding for administrative settings fields. Specifically, the plugin stores user input directly without sanitizing potentially dangerous HTML and JavaScript content, and when rendering these values back to the page, it does not apply appropriate escaping functions such as esc_html(), esc_attr(), or wp_kses() that WordPress provides for this purpose.

Attack Vector

The attack requires network access and authentication with administrator-level privileges. An attacker with administrative access to the WordPress dashboard can navigate to the Testimonials Creator plugin settings page and inject malicious JavaScript code into vulnerable settings fields.

Once the malicious payload is stored, it persists in the database and executes whenever any user (including other administrators or super admins in multi-site environments) views a page where the injected content is rendered. This could enable session hijacking, phishing attacks, or privilege escalation within the WordPress environment.

The attack complexity is considered high because it specifically targets multi-site installations or configurations where unfiltered_html has been disabled, which narrows the scope of affected deployments.

Detection Methods for CVE-2025-14379

Indicators of Compromise

• Unexpected JavaScript code present in the Testimonials Creator plugin settings stored in the wp_options database table
• Browser console errors or suspicious script execution when loading pages that display testimonials
• Anomalous network requests originating from testimonial display pages to external domains
• Unexpected changes to plugin settings by administrator accounts

Detection Strategies

• Review the Testimonials Creator plugin settings in the WordPress database for any suspicious HTML or JavaScript content
• Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
• Monitor WordPress admin activity logs for modifications to the Testimonials Creator plugin settings
• Use web application firewalls (WAF) configured to detect XSS payloads in POST requests to the plugin settings endpoints

Monitoring Recommendations

• Enable WordPress audit logging to track all changes to plugin settings with user attribution
• Configure alerts for modifications to the Testimonials Creator plugin options in the database
• Implement browser-based XSS detection through CSP violation reporting
• Regularly scan the WordPress database for known XSS payload patterns in option values

How to Mitigate CVE-2025-14379

Immediate Actions Required

• Review and audit current Testimonials Creator plugin settings for any suspicious or unexpected content
• Temporarily disable the Testimonials Creator plugin on multi-site installations until a patched version is available
• Restrict administrator access to only trusted users and implement the principle of least privilege
• Consider implementing additional access controls for the plugin settings page

Patch Information

At the time of publication, organizations should monitor the WordPress Plugin Page for an updated version that addresses this vulnerability. Additional technical analysis is available from Wordfence Vulnerability Analysis.

Workarounds

• On multi-site installations, consider temporarily removing the plugin until a patch is released
• Implement strict Content Security Policy headers to prevent execution of inline scripts
• Use a Web Application Firewall (WAF) to filter malicious input patterns targeting the plugin settings
• Regularly audit administrator accounts and revoke access for any untrusted or unnecessary accounts

# Add Content Security Policy header to WordPress .htaccess
# This helps mitigate XSS attacks by restricting script sources
Header set Content-Security-Policy "script-src 'self' https://trusted-cdn.example.com; object-src 'none';"