Testimonial Master WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Testimonial Master plugin for WordPress, affecting all versions up to and including 0.2.1. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. This injected script can be executed if the attacker successfully convinces a user to perform a specific action, such as clicking a link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an attacker can craft a link that includes a malicious script payload. This link should be designed to exploit the vulnerability by injecting the script through the 'PHP_SELF' variable. Once the link is clicked, the injected script will be executed in the user's browser.

Remediation

No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and find a replacement.