CVE-2025-7367 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Strong Testimonials plugin for WordPress, developed by wpchill. This vulnerability exists in all plugin versions up to and including 3.2.11. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied data in testimonial custom fields. Authenticated users with Author-level privileges or higher can inject arbitrary JavaScript code into testimonial entries. When other users, including site administrators or visitors, access pages displaying these testimonials, the malicious scripts execute in their browsers. This can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond viewing the injected page and does not affect availability but impacts confidentiality and integrity. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The primary impact of CVE-2025-7367 is the compromise of user confidentiality and integrity on WordPress sites using the Strong Testimonials plugin. Attackers with Author-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. This can undermine trust in the affected websites and lead to data breaches or further compromise of site infrastructure. Since WordPress powers a significant portion of websites globally, and Strong Testimonials is a popular plugin for displaying user feedback, the scope of affected systems is broad. Organizations relying on this plugin risk exposure to targeted attacks, especially if they allow multiple authors or contributors with elevated privileges. The vulnerability does not affect availability directly but can indirectly cause service disruption if exploited for further attacks or administrative takeover.

To mitigate CVE-2025-7367, organizations should immediately update the Strong Testimonials plugin to a patched version once released by wpchill. In the absence of an official patch, administrators should restrict Author-level and higher privileges to trusted users only and audit existing testimonial custom fields for suspicious content. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting testimonial fields can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly scanning the website for malicious scripts and monitoring user activity logs can help detect exploitation attempts. Developers maintaining custom integrations should ensure proper input validation and output encoding consistent with secure coding practices. Finally, educating content authors about the risks of injecting untrusted content can reduce inadvertent exploitation.