CVE-2026-24957

Vulnerability

Details The Strong Testimonials plugin for WordPress (versions up to and including 3.2.20) suffers from a missing authorization vulnerability. This broken access control issue means that the plugin fails to properly verify access rights for certain functions, allowing users with lower privileges to execute actions intended for higher-privileged users [1]. The root cause is the absence of adequate authorization checks, nonce validation, or authentication requirements in affected functionality.

Exploitation

Exploitation does not require any special network position; any user who can interact with the WordPress site (including unauthenticated visitors) may be able to exploit this flaw if the vulnerable endpoint is exposed. The attack surface is typical for WordPress plugins where user roles and capabilities are not consistently enforced. The vulnerability is classified as medium severity (CVSS 6.5) but is considered low risk for mass exploitation according to the vendor's assessment [1].

Impact

Successful exploitation can allow an attacker to gain unauthorized access to administrative or higher-privileged actions. This could include modifying plugin settings, altering testimonials, or accessing sensitive data. However, the vulnerability is rated as low likelihood of exploitation due to the need for specific conditions [1].

Mitigation

The vulnerability is patched in version 3.2.21 of the Strong Testimonials plugin. Users are strongly advised to update to the latest version immediately. For those unable to update, applying web application firewall rules or disabling the plugin may serve as temporary workarounds [1].