CVE-2025-14379 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Testimonials Creator plugin for WordPress, specifically version 1.6. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape input fields in the admin settings. This flaw allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. The malicious scripts are stored persistently and executed in the context of any user who visits the affected pages, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, restricting the attack surface to environments with stricter content filtering. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges (administrator), no user interaction needed for exploitation, network attack vector, and limited impact on confidentiality and integrity. No public exploits have been reported yet, and no official patches are currently linked, indicating that mitigation may rely on administrative controls and monitoring until a fix is released. The vulnerability was published on January 14, 2026, and assigned by Wordfence. This issue underscores the importance of input validation and output escaping in WordPress plugins, especially those handling user-generated content in multi-site environments.

For European organizations, this vulnerability poses a moderate risk primarily to those operating WordPress multi-site installations with the Testimonials Creator plugin version 1.6. Successful exploitation could allow an attacker with administrator privileges to inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. While the requirement for administrator-level access limits the likelihood of exploitation by external attackers, insider threats or compromised administrator accounts could leverage this vulnerability to escalate attacks. The impact on confidentiality and integrity is limited but non-negligible, as sensitive data could be exposed or manipulated. Availability is not affected. Organizations relying on WordPress for public-facing or internal multi-site platforms should be cautious, as the vulnerability could undermine trust and lead to reputational damage if exploited. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

1. Monitor for and apply updates to the Testimonials Creator plugin as soon as a security patch addressing CVE-2025-14379 is released by the vendor. 2. Until a patch is available, restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Review and audit administrator activity logs to detect any unauthorized changes to plugin settings that could indicate attempted exploitation. 4. Consider disabling or limiting the use of the Testimonials Creator plugin in multi-site environments if it is not essential. 5. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting the execution of unauthorized scripts. 6. Use security plugins or Web Application Firewalls (WAFs) that can detect and block suspicious input patterns targeting plugin settings. 7. Educate administrators about the risks of stored XSS and the importance of cautious input handling. 8. For organizations with development resources, consider code review or temporary custom patches to sanitize and escape inputs in the plugin’s admin settings until official fixes are available.