Fortinet Discovers WordPress Strong Testimonials Plugin Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in WordPress Strong Testimonials Plugin.
Strong Testimonials is a popular lightweight WordPress plugin that lets users collect and publish testimonials or reviews. The plugin has a paid version with enhanced premium features and has over 90,000+ active installations.
A stored XSS vulnerability exists in the version of the plugin 2.40.0. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code into the plugin pages which are viewed by other users.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Plugin.Strong.Testimonials.XSS
Released Jan 21, 2020
Users should update the plugin to the latest version (2.40.1).
Timeline
Fortinet reported the vulnerability to MachoThemes on January 20, 2020ÂMachoThemes confirmed the vulnerability on January 21, 2020Â
MachoThemes released patch for the vulnerability on January 25, 2020