CVE-2025-8666 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Testimonial Carousel For Elementor plugin for WordPress, versions 11.6.2 and earlier. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in multiple parameters handled by the plugin. Authenticated attackers with contributor-level privileges or above can exploit this flaw by injecting arbitrary JavaScript code into testimonial carousel content or related parameters. Because the malicious scripts are stored persistently, they execute in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a viable target for attackers aiming to escalate privileges or conduct targeted attacks on WordPress sites using this plugin. The plugin is popular among WordPress users who utilize Elementor page builder, increasing the potential attack surface. The vulnerability was publicly disclosed on October 25, 2025, with no official patch available at the time, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the Testimonial Carousel For Elementor plugin, especially those that allow contributor-level access to multiple users. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of legitimate users, defacement, or distribution of malware through compromised web pages. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and potentially violate GDPR regulations due to unauthorized data exposure. The medium severity score reflects moderate impact on confidentiality and integrity, with no direct availability impact. However, the scope change means that the vulnerability can affect components beyond the plugin itself, potentially impacting other integrated systems or user accounts. European organizations with public-facing WordPress sites, particularly in sectors like e-commerce, media, and government, where contributor roles are common, are at heightened risk. The absence of known exploits currently provides a window for proactive defense, but the ease of exploitation by authenticated users makes timely mitigation critical.

1. Immediately audit and restrict contributor-level access on WordPress sites using the Testimonial Carousel For Elementor plugin to only trusted users. 2. Implement strict input validation and output encoding on all user-supplied content fields related to the plugin, either via custom code or security plugins that enforce sanitization. 3. Monitor and review testimonial content and other plugin-managed inputs regularly for suspicious scripts or unauthorized changes. 4. Disable or remove the Testimonial Carousel For Elementor plugin if it is not essential, reducing the attack surface. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 6. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns specific to this plugin to block exploit attempts. 7. Educate site administrators and contributors about the risks of injecting untrusted content and the importance of secure content management practices. 8. Consider implementing Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads.