CVE-2025-62933
📋 TL;DR
This Cross-Site Request Forgery (CSRF) vulnerability in the Awesome Testimonials WordPress plugin allows attackers to inject malicious scripts that execute when administrators view testimonial submissions. The stored XSS component means injected scripts persist and affect all users viewing the testimonials. WordPress sites using Awesome Testimonials version 2.2.1 or earlier are affected.
💻 Affected Systems
- Awesome Testimonials WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, install backdoors, deface websites, steal sensitive data, or take full control of the WordPress site.
Likely Case
Attackers inject malicious JavaScript to steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper CSRF tokens and input validation, the attack would fail, preventing unauthorized actions and script injection.
🎯 Exploit Status
Exploitation requires tricking an authenticated user (typically an administrator) into clicking a malicious link or visiting a compromised page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Awesome Testimonials and click 'Update Now'. 4. Verify the plugin version is 2.2.2 or higher.
🔧 Temporary Workarounds
Disable Testimonial Submissions
allTemporarily disable testimonial submission functionality to prevent exploitation.
Navigate to plugin settings and disable public submissions
Implement CSRF Protection
allAdd custom CSRF tokens to testimonial submission forms.
Add nonce verification to form processing code
🧯 If You Can't Patch
- Disable the Awesome Testimonials plugin completely until patching is possible
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins > Awesome Testimonials versionCheck Version:
wp plugin list --name=awesome-testimonials --field=versionVerify Fix Applied:
Confirm plugin version is 2.2.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual testimonial submissions with script tags
- Multiple failed CSRF token validations
- Admin users submitting testimonials from unexpected IPs
Network Indicators:
- POST requests to testimonial endpoints without referrer headers
- Requests containing script tags in testimonial data
SIEM Query:
source="wordpress.log" AND ("awesome-testimonials" AND ("script" OR "onerror" OR "javascript:"))