WordPress Plugin Testimonial Slider and Showcase Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress Plugin Testimonial Slider and Showcase, specifically in version 2.2.6. This vulnerability allows authenticated editors to inject malicious scripts by exploiting the post_title parameter, which is not properly sanitized. When these JavaScript payloads are injected through the testimonial title field, they execute in the browsers of users viewing the draft post. This exploitation can lead to cookie theft and session hijacking.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the testimonial.

Reproduction

To reproduce this vulnerability, an authenticated editor can add a new testimonial and inject a script payload into the title field. After saving the draft, the injected script will execute when the draft is previewed.