CVE-2025-31588

The Elfsight Testimonials Slider plugin for WordPress (versions up to and including 1.0.1) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to forge requests that can change plugin settings, bypassing the intended authentication and authorization mechanisms because the request is made under the session of an authenticated administrator [1].

The vulnerability is exploitable through user interaction: an attacker must trick a privileged user (such as an administrator) into clicking a malicious link or visiting a crafted page while that user is logged into WordPress. The CSRF attack then executes unwanted actions, such as altering the slider's configuration or appearance, under the victim's current authentication [1].

Successful exploitation could allow a malicious actor to modify plugin settings, potentially leading to further compromise of the site. According to the advisory, such CSRF vulnerabilities are used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

As mitigation, users should update the plugin to a patched version as soon as one is available. If unable to update, the advisory recommends contacting the hosting provider or a web developer for assistance. The CVSS v3 base score is 5.4 (Medium), reflecting the requirement for user interaction and the network attack vector [1].