CVE-2025-14378

The Quick Testimonials plugin for WordPress (versions up to and including 2.1) is vulnerable to Stored Cross-Site Scripting (XSS) via its admin settings. The root cause is insufficient input sanitization and output escaping of user-supplied data within the plugin's administrative interface. This flaw allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts that are stored on the server [1].

The attack surface is limited in scope. The vulnerability is exploitable only on multi-site WordPress installations, or on single-site installations where the unfiltered_html capability has been explicitly disabled for administrators. Because the attack requires administrator-level credentials and the specific insecure configuration, it is not remotely exploitable by unauthenticated users or lower-privileged roles. An attacker with sufficient access can inject malicious scripts via plugin settings, such as in testimonial content or configuration fields [1].

The impact of successful exploitation is that when any other user (including site visitors or other administrators) accesses a page or admin screen that renders the injected payload, the arbitrary script executes in their browser. This can lead to theft of session cookies, defacement of the site, or redirection to malicious domains. Given the administrative context, an attacker could potentially pivot to create new admin accounts or modify site content [1].

The plugin has been closed on the WordPress Plugin Directory as of December 11, 2025, and is no longer available for download due to the unresolved security issue. No patched version exists; site administrators should remove or replace the plugin immediately. Disabling the plugin on affected multisite networks is the recommended workaround until a replacement is found [1].