CVE-2025-68075 Overview
CVE-2025-68075 is a stored Cross-Site Scripting (XSS) vulnerability affecting the BNE Testimonials WordPress plugin in versions up to and including 2.0.8. Authenticated users with Contributor-level privileges can inject malicious JavaScript that executes in the browsers of other users viewing affected pages. The vulnerability is classified under CWE-79, Improper Neutralization of Input During Web Page Generation.
Critical Impact
A Contributor-level authenticated attacker can inject persistent JavaScript payloads that execute in the context of site visitors and administrators, enabling session theft, forced actions, and content manipulation.
Affected Products
- BNE Testimonials WordPress plugin versions <= 2.0.8
- WordPress sites permitting Contributor-level registrations or accounts
- Any deployment relying on the BNE Testimonials plugin for user-submitted content
Discovery Timeline
- 2026-06-26 - CVE-2025-68075 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2025-68075
Vulnerability Analysis
The BNE Testimonials plugin fails to properly sanitize or encode user-supplied input before rendering it in HTML output. A Contributor-authenticated user can submit testimonial content containing HTML or JavaScript that the plugin persists and later renders without adequate neutralization. When another user, including an administrator, views the affected page, the browser parses and executes the attacker-controlled script.
Exploitation requires authentication at the Contributor role and user interaction to view the injected content. The vulnerability crosses a privilege boundary because Contributors typically cannot inject unfiltered HTML, yet this flaw allows script execution in higher-privileged sessions. Successful exploitation permits cookie exfiltration, session hijacking, forced administrative actions via CSRF chaining, and defacement of rendered pages.
Root Cause
The root cause is missing or insufficient output encoding when the plugin renders testimonial fields submitted by low-privilege authors. Input received through plugin form handlers is stored in the WordPress database and later echoed into the DOM without calling appropriate escaping functions such as esc_html(), esc_attr(), or wp_kses_post() with a restrictive allowlist. The result is a stored XSS primitive persistent across page loads.
Attack Vector
An attacker first obtains or registers a Contributor-level account on the target WordPress site. The attacker submits a testimonial entry containing a JavaScript payload embedded in a vulnerable field. When a moderator, editor, or administrator previews the submission or when the entry appears on a public page viewed by any visitor, the script executes in the victim's browser under the site's origin. See the Patchstack WordPress Plugin Vulnerability advisory for advisory details.
Detection Methods for CVE-2025-68075
Indicators of Compromise
- Testimonial database entries containing <script>, onerror=, onload=, or javascript: substrings within the wp_posts or plugin-specific tables
- Unexpected outbound requests from administrator browsers to attacker-controlled domains following testimonial page views
- New or modified WordPress administrator accounts created shortly after Contributor account activity
- Unusual DOM modifications or injected <iframe> elements observed in rendered testimonial pages
Detection Strategies
- Audit the plugin database tables for stored HTML tags or event handler attributes in fields that should contain only plain text
- Monitor WordPress access logs for Contributor accounts posting to testimonial endpoints followed by administrator sessions viewing those entries
- Deploy Content Security Policy (CSP) reporting to capture inline script execution attempts on pages rendering testimonial content
Monitoring Recommendations
- Alert on creation of new Contributor accounts followed by immediate submission activity to plugin endpoints
- Track administrator session cookies for unexpected transmission to external hosts, indicating possible exfiltration
- Review plugin activity logs and WordPress user role changes on a scheduled basis to catch privilege escalation chained from XSS
How to Mitigate CVE-2025-68075
Immediate Actions Required
- Update the BNE Testimonials plugin to a version later than 2.0.8 as soon as the vendor publishes a fix
- Restrict Contributor account registration and audit existing Contributor-level accounts for legitimacy
- Review all existing testimonial entries and remove any containing embedded HTML, script tags, or JavaScript event handlers
Patch Information
Refer to the Patchstack advisory for BNE Testimonials for the latest vendor patch status and fixed version information. Apply the update through the WordPress plugin management interface once available.
Workarounds
- Deactivate the BNE Testimonials plugin until a patched version is available if testimonial functionality is non-critical
- Deploy a web application firewall (WAF) rule to block requests containing script tags or common XSS payloads targeting plugin endpoints
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Temporarily demote Contributor accounts or require editor-level review of all testimonial submissions before publication
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

