CVE-2025-67912

Vulnerability

Overview CVE-2025-67912 is a stored cross-site scripting (XSS) vulnerability in the Premio Stars Testimonials plugin for WordPress, affecting versions from n/a through 3.3.4. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into testimonial content that is later served to other users [1].

Exploitation

Prerequisites Exploitation requires a privileged user (e.g., an editor or administrator) to submit or approve a testimonial containing the malicious payload. The attacker must have the ability to create or modify testimonial entries, but no special network position is needed beyond standard web access. User interaction is required from the victim (e.g., visiting the page containing the injected script) [1].

Impact

A successful attack enables the attacker to execute arbitrary JavaScript in the context of any visitor's browser when they view the affected page. This can be used to redirect users to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions within the context of the victim's session [1].

Mitigation

The vendor has released version 3.3.5 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are documented, and the plugin should be updated as the primary remediation [1].