CVE-2025-8666 is a stored cross-site scripting (XSS) vulnerability identified in the Testimonial Carousel For Elementor plugin for WordPress, affecting all versions up to and including 11.6.2. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping on multiple parameters handled by the plugin. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into testimonial carousel elements. These malicious scripts are stored persistently and executed in the context of any user who visits the infected page, enabling attacks such as session hijacking, cookie theft, defacement, or further privilege escalation within the WordPress environment. The attack vector requires network access (remote) and low attack complexity, with no user interaction needed beyond page access. The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS v3.1 base score is 6.4, reflecting medium severity, with the vector indicating network attack vector, low complexity, privileges required (low), no user interaction, and scope changed due to potential impact beyond the vulnerable component. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability was reserved in August 2025 and published in October 2025 by Wordfence. This flaw is particularly concerning for WordPress sites that allow contributor-level users to add or edit content, as it enables them to embed malicious scripts that affect all visitors to the compromised pages.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the Testimonial Carousel For Elementor plugin, especially those that allow contributor-level user roles. Exploitation can lead to unauthorized disclosure of sensitive information such as session tokens or personal data, undermining confidentiality. Integrity of website content can be compromised through defacement or injection of misleading information. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches can be severe. Attackers could leverage this vulnerability to pivot within the network or escalate privileges, increasing the risk of broader compromise. Organizations with public-facing websites that rely on user-generated content or have multiple contributors are particularly vulnerable. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and the widespread use of WordPress in Europe amplify the potential impact.

1. Monitor official sources and update the Testimonial Carousel For Elementor plugin immediately once a security patch is released. 2. Until a patch is available, restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 3. Implement strict input validation and output encoding at the application level where possible, including custom filters or security plugins that sanitize user inputs. 4. Deploy a Web Application Firewall (WAF) with rules specifically targeting XSS attack patterns to detect and block malicious payloads. 5. Conduct regular security audits and penetration testing focusing on user input handling and plugin vulnerabilities. 6. Educate content contributors about the risks of injecting untrusted content and enforce policies to prevent misuse. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 8. Maintain comprehensive logging and monitoring to detect anomalous behavior indicative of exploitation attempts. These measures collectively reduce the attack surface and improve detection and response capabilities.