The Social Proof (Testimonial) Slider plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) in its spslider-block shortcode. This vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of user-supplied shortcode attributes. An attacker with contributor-level or higher privileges can inject arbitrary JavaScript code that executes in the context of users viewing the affected pages. This can lead to information disclosure or session hijacking. The vulnerability affects all plugin versions up to 2.2.4. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No patch or remediation details are currently provided by the vendor.

An authenticated attacker with contributor-level access or higher can inject persistent malicious scripts via the vulnerable shortcode attributes. These scripts execute in the browsers of users who visit the compromised pages, potentially leading to theft of sensitive information or session tokens. The vulnerability does not impact availability. The scope is changed, meaning the vulnerability affects resources beyond the attacker’s privileges. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only and consider disabling or removing the Social Proof (Testimonial) Slider plugin if possible. Monitor for updates from the plugin author or WordPress security channels for a patch or official mitigation instructions.