CVE-2025-31587

The Elfsight Testimonials Slider plugin for WordPress versions up to and including 1.0.1 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code into the testimonials slider, which is then stored and executed when other users view the affected page.

Exploitation requires an authenticated user with sufficient privileges to submit or manage testimonials. The attacker must be able to insert malicious payloads into fields that are not properly sanitized. Once stored, the payload triggers when any visitor (including administrators) loads the page containing the slider, potentially without requiring additional user interaction beyond normal browsing [1].

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's browser. This can be used to redirect users to malicious sites, display unwanted advertisements, deface the website, or steal sensitive information such as session cookies and authentication tokens. The vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

As a mitigation, users should update the Elfsight Testimonials Slider plugin to a version newer than 1.0.1, which contains the necessary input sanitization fixes. No workaround is currently available, and site administrators are advised to apply the update immediately to prevent potential exploitation [1].