WWordPress Vulnerability Database

Security Advisory XSS in Testimonial Slider(CVE202513897)

Cross Site Scripting (XSS) in WordPress Client Testimonial Slider Plugin
0
Shares
0
0
0
0
Plugin Name WordPress Client Testimonial Slider Plugin
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-13897
Urgency Low
CVE Publish Date 2026-01-10
Source URL CVE-2025-13897

Client Testimonial Slider (≤ 2.0) — Authenticated Contributor Stored XSS (CVE-2025-13897): What it means for your WordPress site

Summary: A stored Cross‑Site Scripting (XSS) vulnerability (CVE‑2025‑13897) in the “Client Testimonial Slider” WordPress plugin (versions ≤ 2.0) allows an authenticated user with Contributor privileges to save malicious input into the testimonial metabox field aft_testimonial_meta_name. When that stored value is later rendered without proper sanitization/escaping, it can execute in the browser of visitors or administrators. This post explains the risk, realistic exploitation scenarios, detection steps, developer fixes, short-term mitigations and long-term hardening measures. The guidance here is written from a Hong Kong security practitioner’s viewpoint — practical, direct, and focused on immediate reduction of risk.

Table of contents

  • What happened (high level)
  • Why this vulnerability matters
  • How the vulnerability works (technical breakdown)
  • Real-world exploitation scenarios and impact
  • How to check if your site is affected
  • Immediate mitigation steps (non‑developer)
  • Developer guidance — secure fixes and sample code
  • WAF guidance — rules and virtual patching
  • Post‑incident steps and recovery checklist
  • Long term hardening and best practices
  • Common questions (FAQ)
  • Summary and final recommendations

What happened (high level)

A stored XSS vulnerability was reported in the WordPress plugin “Client Testimonial Slider” (affected versions ≤ 2.0). The plugin exposes a metabox field named aft_testimonial_meta_name that accepts input from authenticated Contributor accounts. That input can be stored to the database and later output on the front-end or in the admin area without adequate escaping, allowing script execution in the context of the viewer’s browser.

The vulnerability is tracked as CVE‑2025‑13897 and has an assessed CVSS score of 6.5. Exploitation requires an authenticated Contributor-level account, but stored XSS can have outsized impact depending on how and where the injected content is rendered.

Why this vulnerability matters

Contributor is often considered a low-privilege role — it can create content but not publish. Many sites accept testimonial submissions from semi-trusted users or use contributor workflows where Editor/Admins preview content. If a Contributor can store executable HTML that is later viewed by:

  • site visitors (public pages),
  • editors/administrators during preview or edit,
  • or admin users in dashboard screens,

then the malicious JavaScript runs in the victim’s browser. Consequences include credential theft, account takeover, content defacement, redirects to malicious sites, installation of backdoors and further pivoting into the site. Stored XSS is particularly dangerous because a single successful submission can impact many victims over time.

How the vulnerability works (technical breakdown)

At a technical level the chain is:

  1. Plugin exposes metabox field aft_testimonial_meta_name that accepts user input.
  2. Contributor input is saved to post meta without sufficient sanitization (scripts, event attributes, javascript: URIs not removed).
  3. When testimonials are rendered (front-end or admin), the plugin outputs the meta value directly without proper escaping (such as esc_html, esc_attr) or safe filtering (wp_kses with explicit allowed tags).
  4. A stored XSS payload executes in the browser context of any user viewing the testimonial.

Common payloads: