CVE-2025-67912 is a stored cross-site scripting (XSS) vulnerability identified in the Stars Testimonials WordPress plugin developed by Gal Dubinski, affecting all versions up to and including 3.3.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the testimonial content that is displayed using sliders and masonry grids. This flaw allows an attacker to inject malicious JavaScript code that is stored persistently on the website's database and executed in the context of any user visiting the affected pages. Since the vulnerability is stored XSS, it can be exploited by submitting crafted testimonial entries or other input fields that are not properly sanitized or encoded before rendering. The lack of a CVSS score indicates that the vulnerability is newly published and has not yet been fully assessed, but the technical details confirm that no authentication or user interaction beyond visiting the compromised page is required to trigger the exploit. The absence of known exploits in the wild suggests that active exploitation has not yet been observed, but the risk remains significant due to the common use of this plugin in WordPress environments. The vulnerability can lead to session hijacking, theft of sensitive cookies, defacement of websites, redirection to malicious sites, and distribution of malware. The plugin is widely used in websites that showcase customer testimonials, often in e-commerce, service, and marketing sectors, making it a valuable target for attackers aiming to compromise site visitors or administrators. The vulnerability was reserved and published in December 2025, with no patch links currently available, indicating that users must monitor for updates or apply manual mitigations.

For European organizations, the impact of CVE-2025-67912 can be substantial, particularly for those relying on WordPress-based websites that use the Stars Testimonials plugin to display customer feedback. Exploitation of this stored XSS vulnerability can lead to unauthorized execution of malicious scripts in the browsers of site visitors and administrators, potentially resulting in credential theft, session hijacking, and unauthorized access to sensitive information. This can damage organizational reputation, lead to data breaches, and cause financial losses due to fraud or remediation costs. Additionally, attackers could deface websites or redirect users to phishing or malware distribution sites, undermining trust and compliance with data protection regulations such as GDPR. The vulnerability's presence in public-facing testimonial features increases the attack surface, especially for organizations in sectors like retail, hospitality, and professional services that heavily utilize testimonials for marketing. The lack of a patch at the time of publication means organizations must act swiftly to mitigate risks. Given the widespread use of WordPress in Europe and the popularity of testimonial plugins, the threat is relevant across multiple industries and countries.

European organizations should take the following specific actions to mitigate CVE-2025-67912: 1) Immediately inventory all WordPress sites to identify installations of the Stars Testimonials plugin and determine the version in use. 2) Monitor the vendor’s official channels and security advisories for the release of a patch addressing this vulnerability and apply updates promptly once available. 3) Until a patch is released, implement manual input validation and output encoding on testimonial input fields to neutralize potentially malicious scripts. This can be done by using security plugins or custom code that sanitizes user input and encodes output to prevent script execution. 4) Restrict who can submit testimonials by limiting permissions to trusted users or implementing CAPTCHA to reduce automated malicious submissions. 5) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 6) Conduct regular security audits and penetration testing focused on XSS vulnerabilities in web applications. 7) Educate site administrators and developers about secure coding practices and the risks of stored XSS. 8) Consider temporary disabling the testimonial feature if mitigation is not feasible until a patch is applied. These steps go beyond generic advice by focusing on plugin-specific controls and proactive monitoring.