The Client Testimonial Slider plugin for WordPress, developed by amu02aftab, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-2716. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically in the 'Testimonial Heading' setting. The plugin fails to adequately sanitize and escape user-supplied input before rendering it on pages, enabling an attacker with Administrator-level privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the compromised page. The vulnerability affects all versions up to and including 2.0 and is limited to WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, which restricts HTML input for non-admin users. Exploitation requires authenticated access with high privileges, no user interaction is needed for the payload to execute once injected, and the scope is limited to the affected plugin's pages. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, with no availability impact. No patches or exploits are currently publicly available, but the vulnerability poses a risk of session hijacking, defacement, or other malicious actions via script execution.

The primary impact of this vulnerability is the potential for malicious script injection leading to unauthorized actions on behalf of users who view the compromised pages. Although exploitation requires administrator-level access, attackers who gain such privileges can leverage this vulnerability to execute persistent XSS attacks, potentially stealing session cookies, performing actions as other users, or defacing websites. This can degrade user trust, lead to data leakage, and facilitate further attacks within the WordPress multi-site environment. Since multi-site installations often manage multiple websites from a single WordPress instance, the impact can be amplified across several sites. The vulnerability does not directly affect availability but compromises confidentiality and integrity of user sessions and data. Organizations relying on this plugin in multi-site setups or with restricted HTML capabilities are at higher risk. The medium CVSS score reflects the limited attack surface but notable consequences if exploited.

To mitigate this vulnerability, organizations should first check if an updated version of the Client Testimonial Slider plugin is available that addresses the input sanitization and output escaping issues; applying such patches is the most effective measure. If no patch exists, administrators should consider disabling or removing the plugin from multi-site WordPress installations or those with unfiltered_html disabled. Restrict administrator access strictly to trusted personnel to reduce the risk of malicious input injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the testimonial heading fields. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly audit plugin configurations and user inputs for suspicious content. Monitoring logs for unusual administrator activity can also help detect exploitation attempts early. Finally, educate administrators about the risks of injecting untrusted content even with high privileges.