CVE-2025-49245

Vulnerability

Overview CVE-2025-49245 is a reflected cross-site scripting (XSS) vulnerability found in the WordPress plugin Testimonials Showcase, affecting versions through 1.9.16. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript code into the application's output [1]. This class of vulnerability is classified as ‘Improper Neutralization of Input During Web Page Generation’ (CWE-79).

Exploitation

Details To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a specially crafted link or visiting a maliciously prepared page. No direct authentication is needed for the attacker, as the reflected XSS payload is executed in the context of the victim's session when the crafted input is processed by the plugin. The CVSS score of 7.1 (High) reflects the moderate complexity and the need for user interaction [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when visitors access the affected site, potentially leading to data theft, session hijacking, or defacement. Given the plugin's wide usage in WordPress, this vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns [1].

Mitigation

The vulnerability has been addressed in version 1.9.18 of the Testimonials Showcase plugin. Users are strongly advised to update immediately to this patched version. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update can be applied [1].