CVE-2025-8666 identifies a stored cross-site scripting (XSS) vulnerability in the Testimonial Carousel For Elementor plugin for WordPress, versions up to and including 11.6.2. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where multiple parameters are not adequately sanitized or escaped before being rendered on pages. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages managed by the plugin. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is remotely exploitable over the network without user interaction but requires authentication with low privileges, which is common in many WordPress environments where contributors can add or edit content. The CVSS v3.1 base score is 6.4, reflecting medium severity due to the combination of network attack vector, low attack complexity, and partial impact on confidentiality and integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions up to 11.6.2, indicating a broad impact on users of this popular plugin. The issue was reserved in August 2025 and published in October 2025 by Wordfence, a reputable security source.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the affected plugin. This can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the scripts execute in the context of the victim's browser, the confidentiality and integrity of user data can be compromised. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, reputational damage and loss of user trust can indirectly affect business operations. Organizations relying on the Testimonial Carousel For Elementor plugin are at risk, especially those with multiple contributors or editors who have authenticated access. The vulnerability's exploitation requires authentication but no user interaction, making it easier for insiders or compromised contributor accounts to be leveraged for attacks. This threat is particularly relevant for websites with high traffic or sensitive user data, such as e-commerce, membership, or corporate sites. The lack of known exploits in the wild suggests limited current active exploitation, but the medium severity score and ease of exploitation warrant prompt remediation.

To mitigate this vulnerability, organizations should first check for and apply any available updates or patches from the plugin vendor as soon as they are released. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the affected plugin parameters can provide temporary protection. Additionally, site owners should enforce strict content security policies (CSP) to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts or anomalous content can help detect exploitation attempts early. Educating contributors about safe input practices and monitoring plugin usage can reduce the risk of accidental or malicious injection. Finally, consider disabling or replacing the vulnerable plugin with a more secure alternative if immediate patching is not feasible.